Here Comes the Fashion (Cybersecurity) Police: New York Attorney General Imposes Penalty for Mishandling of Consumer Data Breach
By Jeff Johnston, Briana Falcon, and Winnie Johnson*
On October 12, 2022, New York Attorney General Letitia James fined Zoetop Business Company, Ltd. (“Zoetop”), the owner of fast-fashion brands SHEIN and ROMWE, $1.9 million for mishandling a 2018 data breach and lying to the public about the scope of the breach. “Failing to protect consumers’ personal data and lying about it is not trendy,” says Attorney General James.
In 2018, the company’s payment processor alerted Zoetop that their system had been subjected to a cyberattack. A credit card issuing bank found that SHEIN was a common point of purchase in several of its customers’ accounts that had been linked to fraud. The cybersecurity firm hired to investigate the attack found that the bad actors had, at a minimum, attempted to exfiltrate customer credit card information and access SHEIN customers’ personal information. Login credentials were later put up for sale on an Internet forum. The breach affected 39 million SHEIN accounts worldwide.
Weak Security Measures
The New York Attorney General found that, at the time of the breach, Zoetop used a method for “hashing” customer passwords — turning the passwords into an unintelligible form — that was known to be an insecure algorithm. Zoetop also failed to further protect the passwords by adequately “salting” them — adding random characters to a password before hashing to protect in the event the hashing is decrypted. Zoetop only added a two-digit salt to the passwords.
After the breach, Zoetop did not force a password reset for the affected accounts. Instead, SHEIN contacted only a subset of the affected accounts to recommend a self-initiated password reset. The remaining affected users were not informed that their login credentials were compromised.
Zoetop also, at the time of the breach, failed to adhere to various Payment Card Industry Data Security Standards. First, Zoetop did not adequately protect customers’ credit card data because, due to a misconfiguration, their system stored unencrypted credit card data on a debug log when a transaction error occurred. Second, the company did not regularly monitor audit logs to identify security incidents or test the network for vulnerabilities. Lastly, the company did not have a comprehensive incident response plan, evidenced by their failure to alert affected customers of the 2018 breach and reset their passwords.
Mischaracterization of the Breach
Zoetop’s public disclosure of the breach was found to be misleading. Zoetop falsely stated that only 6.41 million customers (the affected accounts that had actually placed an order with SHEIN) were affected by the breach. Additionally, on the FAQ page on SHEIN’s website concerning the breach, the company asserted that it had seen no evidence that customers’ credit card information was stolen. On the contrary, Zoetop had received reports indicating a possibility that credit card information had been stolen. Zoetop failed to disclose this risk to customers.
Untimely Disclosure to Affected Customers
In June 2020, Zoetop discovered plaintext ROMWE customer login credentials on the Dark Web, resulting from the same 2018 breach. The login credentials of 7.3 million ROMWE accounts were stolen in the 2018 breach. Instead of contacting affected ROMWE customers about this discovery, Zoetop reset the account passwords and prompted the customers with a notification to change their password: “Your password has a low security level and may be at risk. Please change your login password.” Zoetop also failed to notify the ROMWE customers of the incident until December 2020.
What This Means for You
Attorney General James stated, “[t]his agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”
Companies should ensure that user credentials are adequately protected by using secure algorithms and regularly monitoring and testing their networks to identify security incidents or vulnerabilities. Additionally, companies should put in place incident response plans that, among other things, provide for the reset of compromised passwords and prompt notification to affected users. The New York Attorney General’s findings indicate that the best practice is forcing a password reset, instead of merely recommending a self-initiated reset or presenting users with a “victim-blaming” prompt to reset their password.
V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.
*Winnie Johnson is a law clerk in our Houston office.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.