Published on November 4th, 2022 📆 | 4404 Views ⚑
0Here Comes the Fashion (Cybersecurity) Police: New York Attorney General Imposes Penalty for Mishandling of Consumer Data Breach | Vinson & Elkins LLP
[co-author: Winnie Johnson]
On October 12, 2022, New York Attorney General Letitia James fined Zoetop Business Company, Ltd. (âZoetopâ), the owner of fast-fashion brands SHEIN and ROMWE, $1.9 million for mishandling a 2018 data breach and lying to the public about the scope of the breach. âFailing to protect consumersâ personal data and lying about it is not trendy,â says Attorney General James.
Overview
In 2018, the companyâs payment processor alerted Zoetop that their system had been subjected to a cyberattack. A credit card issuing bank found that SHEIN was a common point of purchase in several of its customersâ accounts that had been linked to fraud. The cybersecurity firm hired to investigate the attack found that the bad actors had, at a minimum, attempted to exfiltrate customer credit card information and access SHEIN customersâ personal information. Login credentials were later put up for sale on an Internet forum. The breach affected 39 million SHEIN accounts worldwide.
Weak Security Measures
The New York Attorney General found that, at the time of the breach, Zoetop used a method for âhashingâ customer passwords â turning the passwords into an unintelligible form â that was known to be an insecure algorithm. Zoetop also failed to further protect the passwords by adequately âsaltingâ them â adding random characters to a password before hashing to protect in the event the hashing is decrypted. Zoetop only added a two-digit salt to the passwords.
After the breach, Zoetop did not force a password reset for the affected accounts. Instead, SHEIN contacted only a subset of the affected accounts to recommend a self-initiated password reset. The remaining affected users were not informed that their login credentials were compromised.
Zoetop also, at the time of the breach, failed to adhere to various Payment Card Industry Data Security Standards. First, Zoetop did not adequately protect customersâ credit card data because, due to a misconfiguration, their system stored unencrypted credit card data on a debug log when a transaction error occurred. Second, the company did not regularly monitor audit logs to identify security incidents or test the network for vulnerabilities. Lastly, the company did not have a comprehensive incident response plan, evidenced by their failure to alert affected customers of the 2018 breach and reset their passwords.
Mischaracterization of the Breach
Zoetopâs public disclosure of the breach was found to be misleading. Zoetop falsely stated that only 6.41 million customers (the affected accounts that had actually placed an order with SHEIN) were affected by the breach. Additionally, on the FAQ page on SHEINâs website concerning the breach, the company asserted that it had seen no evidence that customersâ credit card information was stolen. On the contrary, Zoetop had received reports indicating a possibility that credit card information had been stolen. Zoetop failed to disclose this risk to customers.
Untimely Disclosure to Affected Customers
In June 2020, Zoetop discovered plaintext ROMWE customer login credentials on the Dark Web, resulting from the same 2018 breach. The login credentials of 7.3 million ROMWE accounts were stolen in the 2018 breach. Instead of contacting affected ROMWE customers about this discovery, Zoetop reset the account passwords and prompted the customers with a notification to change their password: âYour password has a low security level and may be at risk. Please change your login password.â Zoetop also failed to notify the ROMWE customers of the incident until December 2020.
What This Means for You
Attorney General James stated, â[t]his agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.â
Companies should ensure that user credentials are adequately protected by using secure algorithms and regularly monitoring and testing their networks to identify security incidents or vulnerabilities. Additionally, companies should put in place incident response plans that, among other things, provide for the reset of compromised passwords and prompt notification to affected users. The New York Attorney Generalâs findings indicate that the best practice is forcing a password reset, instead of merely recommending a self-initiated reset or presenting users with a âvictim-blamingâ prompt to reset their password.
*Winnie Johnson is a law clerk in our Houston office.
Gloss