Zoetop, the parent company of fast fashion brands Shein and Romwe, has been penalized with $1.9 million by New York state for its missteps in managing a data breach in 2018 that impacted 39 million Shein accounts and 7 million Romwe accounts, The Verge reports. The New York State Attorney General's Office found that Zoetop failed to inform 32.5 million Shein accounts regarding the compromise of their login information, while downplaying the number of customers affected by the intrusion. Moreover, data breach notifications have only been sent to Romwe customers in 2020 after customer logins believed to be stolen from the hack were found on the dark web. Romwe customers were initially advised in December 2020 that their passwords were reset due to them being expired before sending another message in February noting that detection of suspicious activity has prompted the password resets. Zoetop was also found by the state OAG investigation to have failed to implement appropriate security measures to protect its systems.