The owner of fast fashion brand Shein has been ordered to pay $1.9m to New York state over a data breach that affected millions of customers.

Zoetop Business Company, Ltd – which owns e-commerce brands Shein and Romwe – failed to properly handle a 2018 data breach in which the personal information of 39 million Shein accounts and seven million Romwe accounts were compromised, New York Attorney General Letitia James announced on Wednesday.

An investigation by the Office of the Attorney General found that hackers successfully stole credit card information and personal information, including names, email addresses, and account passwords of Shein customers.

After Zoetop learned of the hack, the company “failed to take adequate steps” to protect many of the affected accounts and “downplayed the extent of the cyberattack” to shoppers, according to the OAG. For the 39 million Shein accounts impacted by the data breach, Zoetop failed to alert customers whose login credentials had been stolen. The company has also been accused of “misrepresenting” the size and scope of the breach in several public statements to its customers.

Two years later, reportedly Zoetop discovered Romwe customer login credentials available on the dark web believed to be from the 2018 cyber attack.

“Shein and Romwe’s weak digital security measures made it easy for hackers to shoplift consumers’ personal data,” said James. “While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up. Failing to protect consumers’ personal data and lying about it is not trendy.”

“Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft,” she continued. “This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated.”

As a result of the investigation, Zoetop has been ordered to pay $1.9m in penalties to New York state and must strengthen its cybersecurity measures to protect consumers’ information.

In a statement to The Independent, Shein said they “have fully cooperated with the New York Attorney General and are pleased to have resolved this matter.”

“Protecting our customers’ data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world,” the brand said. “Since the data breach, which occurred in 2018, we have taken significant steps to further strengthen our cybersecurity posture and we remain vigilant.”

Chinese fast fashion brand Shein has become known for its inexpensive and abundant clothing options, and is now valued at $100bn. The e-commerce brand has been at the centre of much controversy since its founding in 2008, and faces accusations of worker exploitation, stealing ideas from independent designers, and contributing to the environmental damage caused by the fast fashion industry.