Romwe shoppers, your account may have been compromised.
Last night, the Hong Kong-based retailer announced that it had encountered a security breach of customer data. It explained that it had discovered on Sept. 7 that some usernames and passwords may have been stolen from its network back in July 2018 “as determined by internal and external forensic investigations.”
In a statement, the company wrote, “In an abundance of caution, Romwe has taken steps to notify all potentially affected individuals and to provide resources to assist them… Romwe takes the protection of its customers’ information seriously and sincerely apologizes for any inconvenience this incident may cause.”
According to the fast-fashion e-commerce site, which was founded just over a decade ago, the usernames and passwords could have provided access to some customers’ data, including their names, emails and phone numbers, as well as other optional information that they may have added to their accounts.
Romwe noted that debit or credit card numbers stored in customer accounts remain secure; it shared that the site does not store full payment information.
“Over the past several years, Romwe has continued to improve its security protections as part of its regular security program activities, including by increasing password encryption and using more advanced intrusion detection technologies,” the company added. “For the present matter, we have also forced password resets for all potentially affected customers.”
The retailer shared that it has already alerted customers to the steps they can take to monitor and protect their personal information. It has also established a toll-free call center to answer questions about the incident and related concerns. (Shoppers in the United States and Canada who may have been impacted are urged to reach out at 1-877-218-7105 from 7 a.m. to 7 p.m. PT.)
What’s more, Romwe announced that it was also offering “dark web monitoring” at no cost through software firm ID Experts. Instructions on how to sign up were included in an email notice sent yesterday to potentially affected individuals.
For those seeking to delete their accounts, customers should visit their “My Account” page and click on “Account Security” followed by “Delete Account.” Typically, the account will be deleted in three days, and a notification email will automatically be sent upon successful deletion. Once deleted, shoppers will be unable to recover or reinstate their account and any related information. They will also be unsubscribed from mailings.