- New York AG Letitia James secured a $1.9 million settlement with online fashion retailer Zoetop Business Company, Ltd. – which owns and operates popular e-commerce brands SHEIN and ROMWE – and SHEIN Distribution Corporation (collectively “SHEIN”) to resolve allegations that the companies violated New York consumer protection laws by mishandling customer data and misrepresenting the scope of a 2018 data breach that compromised the payment card information and personal data of millions of consumers worldwide, including 800,000 New York residents.
- The state alleged in the assurance of discontinuance that attackers were able to access 39 million SHEIN customer accounts and likely exfiltrated customer payment card information and personal data, including customer names, addresses, emails, and hashed account passwords. The AG further alleged that, following the incident, SHEIN failed to promptly notify its customers about the data breach and force a password reset for all account holders. SHEIN also allegedly misrepresented the scope of the incident in its press release and online FAQ page and declined to fully cooperate with a PCI-qualified forensic investigator, which, according to the state, in its limited review determined that the company failed to comply with PCI-DSS requirements to which companies that collect credit card payment information are expected to adhere.
- Under the terms of the settlement, SHEIN must pay $1.9 million in penalties and costs and maintain a comprehensive information security program that documents specific security measures and controls. Such controls include, among other things, conducting annual risk assessments, selecting and engaging appropriate service providers, implementing password management policies and procedures, establishing a logging and monitoring system, and conducting regular vulnerability scans. In addition, the company must appoint a qualified employee to oversee the information security program and offer identity protection services to customers at no charge.