Zoetop, parent company to online clothing retailers SHEIN and ROMWE, agreed to pay $1.9 million as part of a settlement with the New York Attorney General’s Office for failing to properly protect customer information compromised during a 2018 data breach.

Zoetop did not properly protect customer data before or after the breach and “downplayed the extent” of the incident, New York Attorney General Letitia James said in an Oct. 12 press release.

Zoetop didn’t know where on its system it stored customer credit card information, James alleged. It allowed some credit card transaction information to be stored in plain text, she said, and used an algorithm to protect customer passwords that was known to be weak.

Zoetop didn’t regularly monitor its systems to catch security breaches, and it didn’t regularly check for weaknesses that would allow a breach, the attorney general alleged.

These failings allowed cybercriminals to break into customer accounts in June 2018 and steal passwords, credit card numbers, customer names, and email addresses, James said in an assurance of discontinuance.

Zoetop didn’t learn about the attack until a payment processor told the company a credit card network and its related bank believed the credit card data of Zoetop customers had been stolen. A cybersecurity firm hired by Zoetop confirmed the attack, but Zoetop didn’t have a comprehensive plan for how to respond to the breach, James said.

After the breach, Zoetop informed “only a fraction” of the 39 million SHEIN customers impacted by it, James alleged. Zoetop didn’t immediately reset passwords or take steps to protect the endangered accounts, she said. The company told the public just 6.42 million customers had been impacted and it had seen no evidence credit card information was stolen.

By July 2019, Zoetop made changes to properly protect customer passwords, James said.

In 2020, the company informed more than 7 million ROMWE customers their login credentials had been stolen, believed to be part of the same 2018 breach. The company did reset customer passwords after discovering they were being sold on the dark web.

In total, more than 800,000 New York residents had their account details exposed because of the breach.

As part of the settlement, Zoetop agreed to “maintain a comprehensive information security program” that includes strong encryption of customer passwords, monitoring its network for suspicious activity, and creating policies for addressing breaches. Zoetop agreed its response policy will include the timely investigation of breaches, customer notification, and prompt password resets.

“While New Yorkers were shopping for the latest trends on SHEIN and ROMWE, their personal data was stolen, and Zoetop tried to cover it up,” James said in the release. “Failing to protect consumers’ personal data and lying about it is not trendy. SHEIN and ROMWE must button up their cybersecurity measures to protect consumers from fraud and identity theft.”

The agreement is a warning companies must “strengthen their digital security measures and be transparent with consumers,” James added.

“We have fully cooperated with the New York Attorney General and are pleased to have resolved this matter,” Zoetop said in an emailed statement. “Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world. Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture, and we remain vigilant.”