Zoetop Business Company, Ltd., which owns the juggernaut Chinese fast fashion business SHEIN, has been ordered to pay $1.9 million in penalties to New York state after failing to protect consumer information in a 2018 data breach and subsequently lying about it, New York Attorney General Letitia James announced on Wednesday. The 2018 breach resulted in the theft of SHEIN shoppers’ credit card and personal information, and the attorney general’s investigation found that Zoetop misrepresented the scale of the data breach both in interactions with customers and in public statements. “Since 2018, we have significantly expanded our cybersecurity team; retained leading cybersecurity experts to help build our security organization and strengthen our global security posture to combat potential risks and vulnerabilities; implemented technologies designed to detect bad actors and mitigate potential threats to our systems; and further enhanced our incident response processes and procedures,” SHEIN told The Daily Beast in a statement. “In addition, we have been certified as compliant with the ISO’s 27001 standard and the payment card industry’s Digital Security Standard for data protection.”
