A 2018 data breach puts Shein in the spotlight as ultra-fast fashion e-commerce platform Gen-Z continues to conquer markets around the world.
Zoetop, the company that owns Shein and its sister brand Romwe, has been fined $1.9 million by New York for failing to properly handle a security incident, according to a notice from the state attorney general’s office this week. New York doesn’t publicly release reports of data breaches like in Maine, New Hampshire, California, or other states, which is why the AG came in so much later than when the cyberattack happened.
Shein, founded in China and recently moved its core assets to Singapore, saw explosive growth during the pandemic as virus prevention pushed consumers to shop online. Its stunning affordability and extensive clothing options have made it one of the fastest growing consumer internet platforms in the world over the past two years.
The company’s meteoric rise puts the once humble fashion exporter from China on the spot. It went from a few years ago without a dedicated PR staff to now scrambling to deal with mounting media questions about supply chain transparency and alleged design theft as it grows and getting ready for an IPO.
The data breach poses yet another PR problem. The company claims it has significantly stepped up its security measures since then.
“We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter. Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats facing businesses around the world. Since the data breach, which happened in 2018, we have taken important steps to further strengthen our cybersecurity stance and remain vigilant,” Shein said in a statement.
A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account information, including that of more than 375,000 New York residents, according to the AG’s announcement. An investigation by the AG’s office found that Zoetop contacted only “a fraction” of the 39 million compromised accounts, and for the vast majority of affected users, the company did not even warn them that their credentials had been stolen.
The AG’s office also concluded that Zoetop’s public statements about the data breach were misleading. In one case, the company falsely stated that only 6.42 million consumers were affected and that it was in the process of informing all affected users.
A lot has changed since 2018. Shein has grown from an emerging online fast fashion retailer into an all-encompassing e-commerce platform that threatens Amazon. In the second quarter of this year, US downloads of the app surpassed Amazon’s for the first time. The data breach may be dated, but keep in mind that Shein has been in business since 2008, so four years is quite recent in the company’s history. Cost-cutting, trend-seeking Gen-Z consumers can continue to shop on Shein despite the publicity problems, but much remains to be done to gain the trust of regulators and the general public.