Skip to main content

The company that owns Shein will pay New York state $1.9 million for data breach

The company that owns Shein will pay New York state $1.9 million for data breach


New York Attorney General Letitia James announced a $1.9 million penalty for Zoetop, the company that owns Shein and Romwe. Millions of user accounts on the shopping sites were stolen.

Share this story

A cartoon illustration shows a shadowy figure carrying off a red directory folder, which has a surprised-looking face on its side.
Illustration by Beatrice Sala

The company behind ultra fast fashion brands Shein and Romwe will pay New York state $1.9 million over a data breach affecting millions of customers. The fine stems from charges that Zoetop failed to secure customers’ data, didn’t properly inform customers of a data breach, and tried to keep the extent of the leak quiet.

The penalty comes after an investigation by the Office of the Attorney General into a 2018 hack in which credit card and personal information, like names, emails, and hashed passwords, was stolen. The data breach affected 39 million Shein and 7 million Romwe accounts, including more than 800,000 accounts belonging to New Yorkers.

Romwe reset passwords more than a year after it was hacked and told customers they’d simply expired

According to the OAG, after Zoetop learned of the hack, the company only contacted some of the affected customers and failed to reset passwords for any of the accounts. For 32.5 million Shein accounts, Zoetop didn’t alert users that their login information had been exposed. The company is also accused of misrepresenting the number of customers whose data was stolen and saying it had no evidence that credit card information was stolen.

Two years later, Romwe customers were notified of a data breach after Zoetop found customer logins on the dark web believed to be from the 2018 hack. When Zoetop finally did reset passwords for all Romwe customers in December 2020, the investigation found that it told customers their passwords expired after not being changed for a year. The following February, it replaced that message with a different one that simply said, “We detected suspicious activity, please verify your identity in order to restore your account.”

The OAG investigation also found that Zoetop “failed to maintain reasonable security measures” at the time of the hack, including using insufficient password management systems and failing to monitor for security issues or have a comprehensive plan in place in case of a cyberattack.

The e-commerce website is hugely popular with young people around the world, churning out a near-constant stream of clothing and accessories for bottom-of-the-barrel prices. According to Politico, Shein was valued at over $100 billion this year.