Site icon Sophos News

Fashion brand SHEIN fined $1.9m for lying about data breach

Chinese company Zoetop, former owner of the wildly popular SHEIN and ROMWE “fast fashion” brands, has been fined $1,900,000 by the State of New York.

As Attorney General Letitia James put it in a statement last week:

SHEIN and ROMWE’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data.

As if that weren’t bad enough, James went on to say:

[P]ersonal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft.

Frankly, we’re surprised that Zoetop (now SHEIN Distribution Corporation in the US) got off so lightly, considering the size, wealth and brand power of the company, its apparent lack of even basic precautions that could have prevented or reduced the danger posed by the breach, and its ongoing dishonesty in handling the breach after it became known.

Breach discovered by outsiders

According to the Office of the Attorney General of New York, Zoetop didn’t even notice the breach, which happened in June 2018, by itself.

Instead, Zoetop’s payment processor figured out that the company had been breached, following fraud reports from two sources: a credit card company and a bank.

The credit card company came across SHEIN customers’ card data for sale on an underground forum, suggesting that the data had been acquired in bulk from the company iself, or one of its IT partners.

And the bank identified SHEIN (pronounced “she in”, if you hadn’t worked that out already, not “shine”) as what’s known as a CPP in the payment histories of numerous customers who had been defrauded.

CPP is short for common point of purchase, and means exactly what it says: if 100 customers independently report fraud against their cards, and if the only common merchant to whom all 100 customers recently made payments is company X…

…then you have circumstantial evidence that X is a likely cause of the “fraud outbreak”, in the same sort of way that groundbreaking British epidemiologist John Snow traced an 1854 cholera outbreak in London back to a polluted water pump in Broad Street, Soho.

Snow’s work helped to dismiss the idea that dieseases simply “spread through foul air”; established “germ theory” as a medical reality, and revolutionised thinking on public health. He also showed how objective measurement and testing could help connect causes and effects, thus ensuring that future researchers didn’t waste time coming up with impossible explanations and seeking useless “solutions”.

Didn’t take precautions

Unsurprisingly, given that the company found out about the breach second-hand, the New York investigation castigated the business for not bothering with cybersecurity monitoring, given that it “did not run regular external vulnerability scans or regularly monitor or review audit logs to identify security incidents.”

The investigation also reported that Zoetop:

Didn’t tell the truth

The company was also roundly criticised for its dishonesty in how it dealt with customers after it knew the extent of the attack.

For example, the company:

The company, it seems, also neglected to mention that it knew it had suffered a data-stealing malware infection and had been unable to produce evidence that the attack had yielded nothing.

It also failed to disclose that it sometimes knowingly saved full card details in debug logs (at least 27,295 times, in fact), but didn’t actually try to track down those rogue log files down in its sytems to see where they ended up or who might have had access to them.

To add injury to insult, the investigation further found that the company was not PCI DSS compliant (its rogue debug logs made sure of that), was ordered to submit to a PCI forensic investigation, but then refused to allow the investigators the access they needed to do their work.

As the court documents wryly note, “[n]evertheless, in the limited review it conducted, the [PCI-qualified forensic investigator] found several areas in which Zoetop’s systems were not compliant with PCI DSS.”

Perhaps worst of all, when the company discovered passwords from its ROMWE website for sale on the dark web in June 2020, and ultimately realised that this data was probably stolen back in the 2018 breach that it had already tried to cover up…

…its response, for several months, was to present affected users with a victim-blaming login prompt saying, “Your password has a low security level and may be at risk. Please change your login password”.

That message was subseqently changed to a diversionary statement saying, “Your password has not been updated in more than 365 days. For your protection, please update it now.”

Only in December 2020, after a second tranche of passwords-for-sale were found on the dark web, apparently bringing the ROMWE part of the breach to more than 7,000,000 accounts, did the company admit to its customers that they had been mixed up in what it blandly referred to as a “data security incident.”

What to do?

Unfortunately, the punishment in this case doesn’t seem to put much pressure on “who-cares-about-cybersecurity-when-you-can-just-pay-the-fine?” companies to do the right thing, whether before, during or after a cybersecurity incident.

Should penalties for this sort of behaviour be higher?

For as long as there are businesses out there that seem to treat fines simply as a cost-of-business that can be worked into the budget in advance, are financial penalties even the right way to go?

Or should companies that suffer breaches of this sort, then try to impede third-party investigators, and then to hide the full truth of what happened from their customers…

…simply be prevented from trading at all, for love or money?

Have your say in the comments below! (You may remain anonymous.)


Not enough time or staff?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


Exit mobile version