Skip links

Store credit card numbers in a debug log, lose millions of accounts. Cost? $1.9m

Online retailer Zoetop will fork out $1.9 million after account data belonging to 46 million customers was stolen in 2018.

In announcing the settlement this week, New York Attorney General Letitia James said Hong Kong’s Zoetop, which owns fast-fashion brands Shein and Romwe, also tried to downplay the scale of the cyberattack and was pretty bad at securing people’s personal information.

“Shein’s and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” James said in a statement. “Failing to protect consumers’ personal data and lying about it is not trendy.”

This payout won’t leave a mark on the privately-owned bargain-clobber slinger, whose Shein brand alone is valued at $100 billion. It’s just the cost of doing business, as some say.

According to a New York state investigation [PDF], Zoetop stored people’s credit card numbers in plain text in a debug log whenever a transaction encountered an error. So when intruders broke into the retailer’s computers in June 2018, they would have been able to find full card details on nearly 30,000 orders in that file. Zoetop couldn’t say whether that log had been exfiltrated.

In addition, the crooks stole customer account records including names, cities, email addresses, and hashed passwords; the login information was later sold on an underworld cyber-crime forum.

And about those hashed passwords: “The method Zoetop had used to hash the passwords left them susceptible to password cracking attacks, through which attackers could identify the original, unhashed password,” the New York probe found.

That means not only were the plain-text passwords pretty much obtainable, they would be paired with an email address and sold to other crooks, who could use the info to log into people’s accounts on other websites, if those users reused their passwords. This is why it’s important to set a unique password per site or app.

Zoetop didn’t realize its systems had been compromised until about a month later, we’re told. Around July 18, 2018, the web giant’s payment processor told Zoetop it had been contacted by a major credit card network and another issuing bank “indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen.”

After that, Zoetop hired a cybersecurity firm, which confirmed the exfiltration: some 39 million Shein customers had their account info swiped. It would take two years to discover that seven million Romwe shoppers had their info stolen too.

At the conclusion of the 2018 investigation, the mega-retailer downplayed the security breach and didn’t force a password reset nor contact all of the affected Shein shoppers, according to James. Instead, Zoetop only messaged a fraction of the compromised users, and claimed in a press release that 6.42 million customers who had placed online orders were affected.

According to the New York investigation, Zoetop was fully aware of the scale of the Shein credential theft, at least.

Then, in 2020, after discovering more customer data for sale on the dark web, Zoetop realized seven million Romwe accounts’ usernames and passwords had also been exfiltrated in the 2018 theft.

On top of this, according to the NY AG:

In addition to paying $1.9 million to settle the case, Zoetop also agreed to improve its security program to include “robust” password hashing, network monitoring, vulnerability scanning, and incident response policies. 

Also, the retailer promised to conduct timely investigations and consumer notifications — along with password resets — if (or when) it suffers another network breach. ®