Shein and Remwe owner Zoetop is settling a lawsuit with $1.9 million following a 2018 data breach where the company was hacked and account data of 46 million users, including 800,000 New York residents were stolen. The company also reportedly tried to downplay the scale of the attack and did not have sufficient cybersecurity measures in place.
An investigation by the state of New York revealed that Zoetop was storing users’ credit card information in a plaintext debug log whenever a transaction failed. When the company was hacked in June 2018, attackers found full card details on nearly 30,000 orders. Additionally, the attackers also stole customer data including names, cities, email addresses and hashed passwords. These credentials would later be sold on the dark web.
Making matters worse, Zoetop’s encryption method used to hash passwords was vulnerable to password cracking attacks revealing the actual passwords for the stolen accounts.
Zoetop was eventually informed of the breach by its payment processor around a month later in June 2018. A major credit card network and a bank had contacted the payment processor indicating that customers’ financial data was extracted from the company’s systems.
While the New York investigation states that Zoetop was fully aware of the scale of at least Shein’s data loss. Zoetop itself hired a cybersecurity firm to assess damages which confirmed that 39 million Shien customers had their data stolen. An additional seven million Romwe users’ account information was also stolen, a fact that came to light in 2020.
Following the attack, the company claimed that only 6.42 million customers who had placed orders during the attack window had been affected, heavily downplaying the incident’s scale. The company also didn’t bother to force its users to reset passwords or even inform all impacted customers.
The entire debacle ends with Zoetop having to pay $1.9 million to settle the lawsuit against them, a drop in the bucket for the giant considering the current evaluation Shein and Romwe enjoy. The company has also agreed to improve its security practices to include better password hashing, networking monitoring and vulnerability scanning as well as incident response protocols in place.