Consumer Electronics Daily was a Warren News publication.
Reasonable ‘Safeguards’ Ignored

Class Action Alleges Romwe.com Hid Data Breach Fallout for 2 Years

September 27, 2023 by Paul Gluckman|Top News

Romwe.com owner Shein Distribution removed to U.S. District Court for Central California in Los Angeles Monday a class action (docket 2:23-cv-08025) alleging the e-commerce apparel store for two years covered up the fallout from a July 2018 data breach that exposed the login credentials of as many as 7.3 million U.S. consumers.

Shein doesn’t waive “any defenses available under the law,” said its notice of removal. Nor does the retailer concede that the allegations in Devon Wallman’s complaint are accurate, or that she’s entitled to damages, equitable relief, attorneys’ fees and costs or any other form of relief, it said.

Shein was targeted in a July 2018 cyberattack when a payment processor alerted the company that its systems “appeared to have been compromised,” said Wallman’s Aug. 22 class action in Los Angeles County Superior Court. The processor reported it had been contacted by a large credit card network and a credit card issuing bank, each of which notified Shein that its systems had been “infiltrated and card data stolen,” it said.

The credit card network told Shein it found its customers’ credit card numbers for sale “on an internet forum known for trafficking in stolen payment card data,” said the complaint. Customers’ usernames and passwords “were exposed in the data breach,” it said.

Shein then discovered in June 2020 that the login credentials for 7.3 million Romwe.com customers were also compromised in the data breach, said the complaint. It alleges Shein “recklessly or negligently failed to discover” that the data breach affected Romwe.com customers “for roughly two years,” it said. Exacerbating that delay, Shein waited six more months, until December 2020, to begin notifying affected customers, it said. Further “cementing this harm,” Shein requires users to create an account to make a purchase at Romwe.com, and requires customers to use their phone number or email address as a username, it said.

The class action alleges Shein failed to use “reasonable and customary safeguards” to protect the login credentials of millions of Romwe.com customers. If it disclosed it didn’t use reasonable safeguards, plaintiff Wallman of Tenafly, New Jersey, and her class wouldn’t have bought items from the website, or would have paid significantly less for the items than they did, said the complaint.

Wallman brings the action on behalf of herself and all others similarly situated for actual damages and punitive damages “to fully redress the widespread harm” that Shein’s “wrongful acts and omissions have unleashed,” said the class action. It also seeks prejudgment interest on all amounts awarded, plus recovery of reasonable attorneys’ fees court costs.