“Shein, Romwe owner Zoetop fined $1.9m over data breach response” BBC News (2022)

As far as my study form the following news which published by BBC UK (https://www.bbc.co.uk/news/technology-63255661) on 14 October 2022. I found some causes of the data breach at Shein, Romwe and its parent company Zoetop, along with the potential breach, are as follows:

1. Inadequate Cybersecurity Measures: The breach occurred due to weak cybersecurity measures in place at both Shein and Romwe, making it easier for hackers to exploit vulnerabilities and steal sensitive customer data.
2. Failure to Safeguard Customer Data: Zoetop failed to adequately safeguard customer data, allowing hackers to access login details for 39 million Shein accounts and 7 million Romwe
3. Prompt Notification Lack: The Company did not promptly notify affected customers about the breach. Initially, Zoetop reported that only 6.42 million Shein accounts had been exposed, which was a significant underreporting of the actual breach size.
4. False Information: Zoetop provided false information to affected customers by stating that there was "no evidence" of credit-card or payment information compromise, when, in fact, sensitive data, including credit card details, had been stolen.
5. No Forced Password Resets: The Company did not enforce password resets for all affected accounts, leaving them vulnerable even after the breach was discovered.
6. Cover-Up Attempts: Zoetop was accused of attempting to cover up the extent of the breach, which delayed necessary actions and responses.

Could it have been avoided? Yes, the data breach at Shein and Romwe could have potentially been avoided or mitigated through various cybersecurity practices:

1. Strong Cybersecurity Measures: Implementing strong cybersecurity measures, including regular security audits, penetration testing, and network monitoring, can help identify and address vulnerabilities before they are exploited by hackers.
2. Encryption: Encrypting sensitive customer data, especially payment information (Card Number, Security Code), can make it more difficult for attackers to steal usable data even if they gain access to it.
3. Notification: In the event of a data breach, organizations should promptly notify affected customers, regulators, and law enforcement agencies. This helps affected individuals take necessary actions to protect themselves.
4. Password Resets: Enforcing password resets for all affected customers can mitigate the risk of unauthorized access even after a breach.
5. Transparency: Providing accurate and transparent information to affected individuals about the nature and extent of the breach is crucial for maintaining trust and enabling them to take appropriate actions.
6. Security Improvement: Regularly updating and improving cybersecurity measures and practices to stay ahead of evolving threats is essential.
7. Employee Training: Providing cybersecurity awareness and training to employees can help prevent insider threats and improve overall security.
8. Data Protection Laws: Ensuring compliance with data protection laws and regulations is vital for protecting customer data and avoiding legal consequences.

The data breach at Shein and Romwe could have been avoided or mitigated through a combination of strong cybersecurity practices, transparency, and timely response to security incidents. Cybersecurity is an ongoing process, and organizations must continuously adapt to evolving threats to protect customer data effectively.