Dive Brief:
-
Fashion retailer Shein said its website suffered a data breach this past summer affecting more than 6.4 million of its customers, during which "certain personally identifiable information of its customers was stolen," including e-mail addresses and passwords, according to a press release.
-
Shein discovered the cyberattack in late August. After an initial investigation, it is believed the attack lasted from sometime in June until late August, the press release stated. The company stated in an additional FAQ post on its website that it didn't believe credit card theft had occurred, but recommended that customers change their passwords.
-
The retailer further stated that its website servers "have been scanned and malware found on the servers has been removed. 'Back door' entry points to the servers opened by the attackers have been closed and removed."
Dive Insight:
Not much more is known about this particular attack yet, and the investigation is ongoing, according to Shein. But it could be something as simple as an email phishing scam, which was responsible for the multi-billion Target data breach five years ago (an e-mail phishing attack on a Target partner was directly connected to that breach).
The Target data breach seemed like a wake-up call for the retail sector. While investment in security strategies and technologies certainly has increased, and retailers talk a lot more than they once did about their mission to protect their customers, the attacks haven't stopped as we approach the five-year anniversary this December.
The Shein incident is just the latest evidence of that, but there are plenty of other recent examples including the Macy's data breach last spring and the Hudson's Bay Company attack in 2017, which was dubbed among the 'most damaging' in retail. Nevertheless, Shein responded to this incident quickly and decisively once it knew what was going on, and its communication about the attack and offer of a free year of credit monitoring to affected customers is consistent with what retailers in similar situations have done.
However, retailer responses to such incidents have become almost standardized. Customers rarely learn exactly how a breach happened and what the retailer will do next to make sure it never happens again. This pattern of response suggests retailers are starting to accept that there is not much they can do to stop attacks and that the industry has not made much progress since five years ago.