Cyber Incident Victim: ROMWE
Date:
Feb 2020
Location:
China
Summary
A data breach at ROMWE compromised customer credentials, with the company initially claiming limited impact to usernames and passwords. Independent analysis revealed the incident affected over 7.3 million individuals, with evidence suggesting stolen data had circulated on dark web platforms months prior to the organization's discovery. The discrepancy between the company's disclosed timeline and external findings indicated the breach was both larger in scale and earlier in exposure than officially acknowledged. The organization only initiated notifications after additional customer data appeared publicly on a popular forum, prompting scrutiny over the adequacy of its response and transparency regarding the incident's severity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2020, ROMWE experienced a data breach involving customer information. According to the company’s public statements, the incident was discovered after unauthorized data appeared on a popular online forum, prompting ROMWE to notify affected consumers. The company characterized its disclosure as an action taken out of "an abundance of caution" and initially described the compromised data as limited to some customers’ usernames and passwords. This notification occurred months after external researchers had already identified related data exposures. Independent cybersecurity analyst Marco de Felice later challenged ROMWE’s account, revealing that the breach impacted significantly more individuals than acknowledged, with his investigation identifying over 7.3 million affected customers.
Further analysis indicated the breach timeline extended earlier than ROMWE’s discovery. De Felice reported finding samples of the stolen data circulating on dark web platforms as early as February 2020, predating the company’s internal detection by multiple months. This discrepancy raised questions about the breach’s duration and ROMWE’s monitoring capabilities. The company did not publicly address the earlier dark web exposure or reconcile it with their stated discovery timeline. While ROMWE framed the incident as limited in scope, external findings suggested broader consequences, though specific details about data types beyond credentials were not explicitly confirmed in available reports. No additional technical specifics regarding attack vectors, containment measures, or system remediation were disclosed by the company in the examined materials.