Zoetop Business Company, Ltd., which owns the juggernaut Chinese fast fashion business SHEIN, has been ordered to pay $1.9 million in penalties to New York state after failing to protect consumer information in a 2018 data breach and subsequently lying about it, New York Attorney General Letitia James announced on Wednesday.
The 2018 breach resulted in the theft of SHEIN shoppers’ credit card and personal information, and the attorney general’s investigation found that Zoetop misrepresented the scale of the data breach both in interactions with customers and in public statements.
Shein says it has taken "significant steps" to improve its cyber-security.
Names, email addresses, passwords and credit-card information belonging to tens of millions of Shein account holders were stolen by hackers and sold online.
The New York Attorney General's office said Zoetop had failed to safeguard customer data and to inform millions of account holders their personal information had been exposed.
Among those affected were more than 800,000 customers living in New York.
"While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up,"
Ms James said
At the time, the company also told consumers it had seen "no evidence" of credit-card or payment information being compromised and only email addresses and passwords had been stolen.
"Failing to protect consumers' personal data and lying about it is not trendy," Ms James said.