ALBANY, N.Y. (NEWS10) — New York Attorney General Letitia James secured 1.9 million from Zoetop Business Company, Ltd. (Zoetop). According to the Attorney General, Zoetop failed to properly handle a data breach that compromised the personal information of millions of customers.

Zoetop, which owns and operates popular e-commence brands SHEIN and ROMWE, had a data breach in which 39 million SHEIN accounts and seven million ROMWE accounts were stolen, including accounts for more than 800,000 New York residents. SHEIN and ROMWE are both popular shopping sites used primarily by millennials and Gen Z. An investigation by the Office of the Attorney General (OAG) revealed that the company failed to properly safeguard consumers’ information before the data breach, failed to take adequate steps to protect many of the impacted accounts after the breach, and downplayed the extent of the cyberattack to consumers. As a result of today’s agreement, Zoetop must pay $1.9 million in penalties to the state and strengthen its cybersecurity measures to protect consumers’ information.

“SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said Attorney General James. “While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. 

The cybersecurity firm Zoetop used to conduct an investigation confirmed that attackers had gained access to Zoetop’s internal network and had altered code responsible for processing customer transactions in an attempt to intercept and exfiltrate customer’s credit card information. The cybersecurity firm also found that the attackers had exfiltrated the personal information of SHEIN customers, including names, email addresses, and hashed account passwords.

The OAG investigation found that Zoetop contacted only a fraction of the 39 million SHEIN accounts whose login credentials had been compromised and did not reset passwords or otherwise protect any of the exposed accounts. In addition, Zoetop’s public statements about the data breach included several misrepresentations about the breach’s size and scope. In efforts to strengthen Zoetop’s cybersecurity it must maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets.