Zoetop, the holding company behind retailer giant Romwe and Shein, has been fined $1.9m after it failed to properly inform customers of a data breach that reportedly affected millions of users.
According to a notice from New York’s attorney general’s office this week, the 2018 data breach saw Zoetop failing to secure customers’ data, not adequately informing customers of it and trying to keep the real impact of the leak quiet.
The 2018 hack saw credit cards and personal information theft, including names, emails and hashed passwords. The data breach reportedly affected 39 million Shein and seven million Romwe accounts, more than 800,000 of which belonged to New Yorkers.
“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said New York attorney general Letitia James.
“[They] must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers; anything less will not be tolerated.”
More generally, risks connected to an organization not disclosing that it has been breached are substantial, according to Patrick Wragg, cyber incident response manager at Integrity360.
Talking to Infosecurity, the executive said the first type of risk is financial.
“Not only will the organization suffer from operational issues (disruption to service) and therefore loss of revenue, but if they do not disclose the breach to the likes of the ICO (especially if customer data is stolen), the fines are often exponentially bigger than the threat actor ransom itself,” Wragg explained.
Further, companies may suffer reputational and trust risks should they neglect to disclose a data breach.
“If customers find out that their data was stolen and the company tried to hide the fact, then they will be much less likely to use that company in the future due to trust,” Wragg said.
“Companies/partners will [also] be less likely to do business with a company that has purposely not disclosed a breach because they don’t want to get caught in the ‘black hole’ of negative reception.”
The Zoetop news comes in the wake of a duo of data breaches in Australia that affected subsidiaries of the telecommunication giant Singtel.