NY Attorney General Settlement Highlights Challenges of Username and Password Breaches

October was a busy month in New York for cybersecurity enforcement. In addition to a $4.5 million settlement between the New York Department of Financial Services and EyeMed Vision Care (discussed in a forthcoming blog post), state Attorney General Letitia James announced a $1.6 million settlement with Zoetop Business Company, Ltd. (Zoetop), relating to a data breach affecting millions of customers of online retailers SHEIN and ROMWE. The New York AG's settlement with Zoetop offers important guidance for companies navigating data security and breach notification requirements, especially as related to compromises of online usernames and passwords. For example, the settlement makes clear that the New York AG sees a compromise of usernames and insecurely hashed passwords as a data breach under New York law.

Key points from the settlement include:

• Responding to Username/Password Compromises. Many states' data breach notification laws, including New York's, include online usernames and passwords within the definition of covered personal information. The New York AG found that Zoetop inadequately responded to a breach of customers' online passwords, including by failing to timely notify many customers of the breach so that they could change their passwords. The New York AG's settlement with Zoetop leaves unanswered whether a company ever must require that users change their passwords following a breach.
• Use of Secure Hashing Algorithms for User Passwords. Another open (and frequently asked) question about username and password breaches is whether a notifiable breach has occurred if the compromised password is hashed (as described below, hashing is a process of turning a plaintext password into an unintelligible set of letters and numbers). In the Zoetop settlement, the New York AG takes the position that a compromise of an insecurely hashed password constitutes a compromise of the password itself and therefore requires notification under the state's data breach notification law.
• Public Statements Regarding Security Incidents. The New York AG found that Zoetop made several misrepresentations in various public statements about the breach. In addition to significantly underrepresenting the number of users' accounts impacted, the company falsely stated that it had no evidence that credit card information had been stolen.
• Secure Storage of Card Data. A Payment Card Industry-qualified forensic investigator (PFI) hired by Zoetop found that a subset of customers' credit card numbers had been stored in plaintext in a log file when errors occurred during credit card transactions. Unfortunately, even companies with strong security practices can be tripped up by these types of edge cases, particularly where sensitive personal information is, often unbeknownst the company, being captured in system and network logs.
• "Reasonable Security" Requirements. The New York AG found that Zoetop failed to abide by representations in its privacy policy that the company maintained "reasonable security measures." These failures included the above-mentioned use of insecure password hashing and storage of a subset of card numbers in plaintext, as well as failures to conduct adequate security monitoring, maintain a written incident response plan, and timely alert customers of the breach.

NY AG's Findings

The international online retailers SHEIN and ROMWE, both of which sold through websites and mobile apps operated by Zoetop, suffered significant data breaches in 2018. The findings from the New York AG's investigation of those breaches are summarized in an October 12, 2022, Assurance of Discontinuance between Zoetop and the New York AG. We provide some of those findings here.

Zoetop first became aware of a cyberattack in June 2018 when the company's payment processor notified Zoetop of potential theft of customers' credit card information. The payment processor informed Zoetop that credit card information of some SHEIN customers had been found for sale on the dark web, and that several customers who made credit card purchases from SHEIN later experienced fraud on their credit card accounts.[1] Zoetop did not detect the apparent compromise prior to being notified by its payment processor.Upon receiving notice from its payment processor, Zoetop engaged a cybersecurity firm to investigate. The cybersecurity firm confirmed that attackers had compromised various Zoetop systems and made two key findings:

• One, that the attackers had accessed and likely exfiltrated personal information of more than 39 million SHEIN online account holders, including names, city/province information, email addresses, and hashed account passwords.
  • The usernames and hashed passwords were then offered for sale on the dark web. Password "hashing" refers to the process of using a cryptographic algorithm to turn a plaintext password into an unintelligible series of numbers and letters (i.e., a "hash") for secure storage.
  • When hashing is done securely, it is exceedingly difficult for an attacker to determine a user's password based solely on the hash value. However, the SHEIN customers' passwords were hashed using the MD-5 algorithm, which is known to be insecure for password hashing and makes passwords susceptible to hash "cracking" (i.e., deriving the user's password from the hash value).
  • In addition to hashing, passwords also are frequently protected through "salting"—adding a random string of characters to the password before it is hashed. The New York AG found that Zoetop added only two salt values to user passwords before they were hashed—too few to adequately protect against hash cracking.
• Two, that the attackers had altered some Zoetop code responsible for processing customer credit card transactions.[2] Such code may have enabled the attackers to intercept and steal customers' credit card data; however, the cybersecurity firm was unable to determine whether such data was in fact stolen.
  • A separate technical investigation by a Payment Card Industry-approved forensic investigator (PFI) also found that, although the company generally did not store full credit card numbers, a small subset of full card numbers had been stored in plaintext format in a debug log file when errors occurred during a card transaction. It was unclear whether the attackers had accessed or exfiltrated that debug file.

Although more than 39 million users' passwords had been compromised in the attack, Zoetop represented in public statements that only 6.42 million users had been affected. The 6.42 million figure represented only those users who had previously made online purchases with SHEIN. Of those 6.42 million users, Zoetop contacted those in the US, Canada, and Europe and encouraged (but did not require) those users to reset their passwords. According to the New York AG, Zoetop misrepresented the scope of the breach by failing to acknowledge the broader set of affected customers.

The New York AG found that Zoetop also misrepresented the breach in its website FAQs by stating that the company had no evidence that credit card information was stolen—despite the report from its payment processor that card information was being sold on the dark web and its cybersecurity firm's findings that code used for payment processing had been altered. The company's other statements about the incident made no mention of a potential compromise of users' card data.

In 2022, Zoetop discovered that usernames and passwords for ROMWE were also being sold on the dark web. Unlike the SHEIN credentials, the ROMWE credentials were available for sale with passwords in plaintext (i.e., not protected by hashing). An investigation determined that the ROMWE credentials likely had been hashed when they were stolen—like the SHEIN passwords, using the MD-5 hash algorithm—but that the hashes were subsequently cracked before the credentials were placed on the dark web. The investigation also determined that the ROMWE credentials likely were stolen as part of the same attack that affected SHEIN users. The company eventually determined that about 7.3 million ROMWE accounts were compromised.

Zoetop required affected ROMWE users to change their account passwords. However, the company did not initially notify those users that their credentials had been compromised. Zoetop did not inform ROMWE users of the breach until about six months after the initial discovery.

Analysis

Username/Password Compromises

Starting with California in 2014, many states have amended their data breach notification laws to include compromises of online usernames and passwords. New York amended its data breach law to include that data in 2019. The New York AG has previously settled with various companies over their alleged failure to timely notify users of such compromise, most notably with Dunkin' Brands in 2020. The New York AG also has done significant amounts of enforcement work on the related issue of credential stuffing (compromising online accounts through automated entry of username and password combinations stolen through other cyberattacks)—and has issued its Business Guide for Credential Stuffing Attacks. The guide states that, "[i]n most cases, businesses should quickly notify each customer whose account has been, or is reasonably likely to have been, accessed without authorization."

Whether companies have any obligation to force users to reset their credentials—rather than merely notifying those users—after they identify a compromise of users' credentials remains an open question. The Zoetop settlement does not take any clear position on this point, but merely states that Zoetop neither timely informed customers of the compromise nor timely forced password resets.

Secure Hashing Algorithms for User Passwords

As many states added online usernames and passwords to their definitions of covered personal information (called "private information" in New York) for data breach notification laws, a question has persisted: if a username and hashed password is compromised, does that constitute a breach of the username and password under the statute? While the New York AG and other state AGs have not taken definitive positions on this question, the Zoetop settlement at least makes clear that a notifiable breach has occurred if the password is insecurely hashed. As discussed, the SHEIN user passwords were hashed using the MD-5 algorithm, which has been widely regarded as insufficient to securely hash passwords since at least the mid-2000s (and arguably since the mid-1990s), and that Zoetop used too few salt values to defend against hash cracking.

Although the New York AG has never explicitly stated that there is not a reportable data breach where compromised passwords are securely hashed and salted, the guidance for companies is clear: passwords must be hashed using algorithms that are generally accepted as secure among security professionals; MD-5 should not be used. The National Institute of Standards and Technology (NIST) has published a significant amount of guidance on the use of secure hashing, including in its Special Publication 800-107, "Recommendation for Applications Using Approved Hash Algorithms."

Public Statements Regarding Security Incidents

The New York AG's investigation of Zoetop is one of several recent enforcement actions in which companies have been chastised for downplaying or otherwise misrepresenting the extent of data breaches (we discussed another such action, the Securities and Exchange Commission's action against Pearson, in a prior blog post). Companies must be very careful in how they qualify their descriptions of the breach, and, in particular, should use the phrase "no evidence" with extreme caution. The New York AG found that Zoetop falsely stated it had no evidence that credit card data had been compromised, when at best the company's evidence on that point was merely inconclusive. Companies face similar pitfalls when stating that they have "no evidence" of particular activity when they simply have no evidence whatsoever—for example, when security logging is insufficient to say whether attackers accessed sensitive data.

Secure Storage of Card Data

Zoetop's storage of a subset of plaintext credit card numbers in a debug log file highlights the challenges companies face when mapping out their data flows and applying security controls to sensitive data. It is unfortunately common for companies to learn—often after cyberattack has occurred—that sensitive plaintext data is being stored in system logs and other often-unexpected places. It is important that companies thoroughly assess their data flows to ensure that their security controls, such as encryption, hashing, tokenization (the substitution of a sensitive data element such as a full card number for a non-sensitive equivalent), truncation (e.g., storing only the last four digits of the card number), and data minimization (only storing sensitive data that is necessary for business purposes), are being applied uniformly across company systems.

"Reasonable Security"

Like many states, New York requires that companies maintain "reasonable" (or something similar) security safeguards to protect sensitive personal information. However, New York is one of only a small number of states with laws that detail the specific types of safeguards required to maintain reasonable security.

Notably, the New York AG's settlement with Zoetop did not allege any violations of the section of New York law that requires companies to maintain reasonable security. Instead, the New York AG charged Zoetop with misrepresenting in its privacy policy that it used "reasonable technical, administrative, and physical security measures designed to safeguard and help prevent unauthorized access to [customer] data." Even so, the Zoetop settlement provides some guidance on what may constitute reasonable security under New York and other state laws, as the New York AG cited several practices that fell short of the reasonable security measures promised in Zoetop's privacy policy. In addition to the use of insecure hashing and salting, and the storage of some plaintext credit card numbers, the New York AG found that Zoetop:

• Failed to adequately monitor the security of its network, in that it did not run regular external vulnerability scans, use file integrity monitoring to detect unauthorized modifications to critical system files (such as those containing software code for processing consumer credit card purchases), retain system audit trails, or regularly monitor audit logs to detect incidents.
• Failed to maintain a comprehensive, written incident response plan and failed to timely notify customers of the 2018 breach, such as by alerting customers that their login credentials had been stolen and recommending they reset the passwords of affected accounts.

Prospective Relief

As part of its settlement with the New York AG, Zoetop agreed to maintain for five years a comprehensive information security program and implement various safeguards for personal information. Among other things, Zoetop must: establish appropriate password policies and procedures for customers' accounts, including hashing and salting passwords in accordance with NIST standards; maintain a centralized logging system and conduct regular security monitoring; conduct regular vulnerability scanning; and establish an incident response plan that includes promptly resetting login credentials for any customer accounts determined to have been compromised.

Conclusion

In New York and elsewhere, regulators are actively enforcing data breach notification and data security laws, resulting in millions of dollars in settlements for alleged violations. Companies must be prepared for heavy scrutiny of their data security practices, including whether they employ up-to-date and industry-standard technical controls, such as hashing and encryption protocols.

DWT's Information Security & Breach Response team advises companies on the adequacy of their cybersecurity policies and will continue to monitor enforcement agencies' actions in this area.