Online retailer Zoetop will pay $1.9 million after 46 million customers’ account details were stolen in 2018.
Announcing the settlement this week, New York Attorney General Letitia James said Hong Kong’s Zoetop, which owns fast fashion brands Shein and Romwe, also tried to downplay the scale of the cyberattack and was pretty bad at downplaying the personal secure people’s data.
“Shein and Romwe’s weak digital security measures made it easy for hackers to steal consumers’ personal information,” James said in a statement. “Failing to protect consumers’ personal information and lying about it is not trending.”
That payout will leave no mark on the privately held bargain hunter, whose Shein brand alone is worth $100 billion. It’s just the cost of doing business, as some say.
According to a New York State investigation [PDF], Zoetop stored people’s credit card numbers in plain text in a debug log when a transaction failed. When intruders broke into the retailer’s computers in June 2018, they could have found the full card details of nearly 30,000 orders in this file. Zoetop could not tell if this log had been exfiltrated.
In addition, the crooks stole customer account details, including names, cities, email addresses, and hashed passwords; The credentials were later sold on an underworld cybercrime forum.
As for those hashed passwords, “The method Zoetop used to hash the passwords left them vulnerable to password-cracking attacks, which allowed attackers to identify the original unhashed password,” the New York investigation found Celebration.
This means that not only were the plain-text passwords fairly easily obtained, they were paired with an email address and sold to other crooks who could use the information to log into people’s accounts on other websites, when those users reused their passwords. Because of this, it’s important to set a unique password per website or app.
Zoetop didn’t realize its systems had been compromised until about a month later, we’re told. Around July 18, 2018, web giant Zoetop’s payment processor said it had been contacted by a major credit card network and another issuing bank “to report this [Zoetop’s] system[s] were smuggled in and card data stolen.”
After that, Zoetop hired a cybersecurity firm, which confirmed the exfiltration: About 39 million Shein customers had their account information stolen. It would be two years before it was discovered that seven million Romwe shoppers also had their data stolen.
At the end of the 2018 investigation, the mega-retailer downplayed the security breach and, according to James, did not enforce a password reset or contact all affected Shein shoppers. Instead, Zoetop only notified a fraction of the compromised users, claiming in a press release that 6.42 million customers who placed online orders were affected.
According to the New York investigation, Zoetop was at least fully aware of the extent of the Shein credential theft.
Then, in 2020, after Zoetop discovered more customer data for sale on the dark web, Zoetop discovered that the usernames and passwords of seven million Romwe accounts had also been exfiltrated in the 2018 theft.
In addition, according to NY AG:
In addition to paying $1.9 million to resolve the case, Zoetop also agreed to enhance its security program to include “robust” password hashing, network monitoring, vulnerability scanning, and incident response policies.
The retailer also pledged to conduct timely investigations and consumer notifications — along with password resets — if (or when) another network breach occurs. ®
https://www.theregister.com/2022/10/14/zoetop_data_breach_fine/ Zoetop Pays $1.9M to Settle Customer Data Theft Case • The Register