Shein’s global ambitions leaves some cybersecurity experts fearful of Chinese spy threats
The rise of Asian fast fashion retailer Shein already has Amazon on alert, but its plans of selling proprietary supply-chain technology and services to companies around the world has attracted attention from another corner: U.S. cybersecurity firms and national security experts who warn of the potential for a company with close ties to China spying on the supply chain as it seeks to grow its global logistics footprint.
Shein logistics software is in beta testing with select supply chain customers, according to a person familiar with its plans.
The U.S. supply chain has millions of connection points that link companies of all sizes. What makes the connections hum are application programming interfaces, or APIs, used by companies to increase efficiencies and save money. API software allows applications to communicate with each other in real-time and is crucial to logistics companies to integrate with freight providers, streamline operations, and create efficiencies for providers in their supply chain and ultimately, the end customer.
“The APIs in the logistics infrastructure are very interconnected, often without cybersecurity being contemplated,” said Lee Kair, principal and head of the transportation and innovation practice at The Chertoff Group, who formerly served as a top official at the Transportation Security Administration.
Cybersecurity experts and policy analysts say the supply chain of vendors is constantly changing, and the potential to gain data access is as simple as identifying the weakest link in a company’s data network. Typically, small companies have more vulnerable back-office systems, with weaker cyber protocols. “There is a tremendous amount of logistics integration in the world of fast fashion. These integrations can be compromised for nefarious purposes to expose customer data or compromise other connected systems,” Kair said.
According to data from Exiger, a supply chain intelligence intelligence company used by the U.S. government and critical infrastructure industries for risk management, there is a complex web of entities connected to Shein which indicates the company’s supply chain is more expansive and complex than most people realize.
Exiger data shows that while Shein has 44 direct relationships, such as with its parent company Zoetop, and discloses over 5,000 suppliers, an analysis of all of its materials producers shows a supply chain connectivity map that expands substantially. In all, 10,821 companies comprise a supply chain one tier away from Shein. Drilling down deeper into that network of those Shein partners, it expands to 50,000-plus entities, including major U.S. companies, such as Forever 21, operated by Authentic Holdings and mall operator Simon Property Group — both of which announced formal partnerships with Shein last year focused on access to bricks-and-mortar retail.
Allowing Shein to embed its technology within U.S. supply chains could undermine the competitive landscape, violate regulatory standards, and introduce a host of risks, including cybersecurity, said Dewardric McNeal, managing director and senior policy analyst at Longview Global, who served as a policy expert on Asia for the Obama administration’s Department of Defense.
“Given the intricate nature of the U.S. and global supply chains, the potential for espionage or data gathering is a significant risk,” McNeal said. “Shein’s software could provide unprecedented access to sensitive supply chain data, which the Chinese government could seize under its laws. This exposure poses a direct threat to U.S. supply chain integrity, making it vulnerable to exploitation and manipulation.”
Shein has made moves to distance itself from Chinese affiliations. In 2022, Shein moved its headquarters from China to Singapore for regulatory and financial reasons. However, the company’s supply chains and warehouses are still in China.
“The concern of any company with significant Chinese ownership and physical presence is the legal framework in China,” Kair said. “Chinese law requires the company’s cooperation in providing sensitive information related to U.S. citizens to the Chinese government. Even with a headquarters based in Singapore, company supply chain data could be subject to seizure by the Chinese. This is a clear vulnerability of U.S. customer data.”
Kair referred to the moving of the company’s headquarters from China to Singapore to ease regulatory scrutiny as another example of the practice known as “Singapore washing.”
There are certifications in place for companies to prove their information security controls meet accepted corporate standards, including a SOC2 Type II Report created by a third party auditing firm to examine a company’s internal controls and how well they safeguard customer data — an audit that can take several months or more. The other primary certification is an ISO 27001 certification, which is the international industry standard for information security management systems, and its extension, ISO 27701 — both of which Shein says are among its implementation of industry standard controls to protect customers’ data.
“We try to limit our data collection to the minimum amount of information necessary to process commercial transactions,” Shein said in a statement to CNBC. “We have built systems in accordance with leading data protection frameworks such as the International Standards Organization’s standard 27001 and 27701,” it stated.
The International Standards Organization, which maintains ISO standards, explained by email that it does not carry out any certifications, which are issued independently of ISO by the various national and international certification bodies operating around the world. “As such, the ISO Central Secretariat doesn’t have a database of these certifications,” it wrote. Certified companies have an obligation to inform customers of the name of the organization having issued the certificate, and verification of certification should be addressed to that certification organization. CNBC searched the ISO’s IAF CertSearch database to find a certificate for Shein or its parent company Zoetop, but no certificate validation was found.
Shein told CNBC that it has the relevant certifications from third-party auditors.
To allay national security concerns, Shein has set up data storage in respective markets. It stores U.S. customer data within Microsoft U.S.-based Azure cloud and AWS US-based cloud. In the EU, customer data is stored in Frankfurt, Germany. Payment data is not collected by the company in the U.S., but by American payment processing company, Worldpay, which is majority owned by public equity firm GTCR.
The data stored in China covers its industrial supplier management and digital merchant system, which facilitates the transactions from garment raw materials — ancillary materials like buttons, zippers — in moving the product in China.
Ram Ben Tzion, co-founder and CEO of Publican, a digital vetting platform for global trade, tells CNBC it is possible for Shein, and the Chinese government, to misuse supply chain and consumer data. He says the effort to raise Shein’s profile as a global logistics provider is directly related to the intensifying economic battle between the U.S. and China. “You are now seeing this new business service being offered,” said Ben Tzion.
“Pushing Shein as a logistics company is a response or retaliation to the U.S. tightening up everything outsourcing from China,” he said. “This is a way for China to regain a hold on the global supply chain,” he added, referring to the flow of trade away from China, and Chinese giants finding it difficult to raise capital in the U.S. market.
Shein’s manufacturing and supply chain infrastructure has also presented legal issues for partners and political blowback in the U.S. related to the longstanding international issue of forced labor in China. The source familiar with Shein’s operations said it is in compliance with policies from Social Accountability International, an NGO that sets strict international fair labor standards.
McNeal said there are significant concerns about Shein’s supply chains being deeply intertwined with forced labor from Xinjiang Province in potential violation of the Uyghur Forced Labor Protection Act. “Supporting a company with such links contradicts U.S. regulatory efforts and ethical standards and could increase scrutiny from the Department of Homeland Security’s, Customs and Border Patrol and the UFLPA Entities List Office,” he said.
Shein’s planned U.S. IPO is considered “all but dead,” with several powerful political figures in the nation’s capital among those who sought to block it for reasons including its supply chain issues and use of trade loopholes (Shein is now pursuing a potential London listing instead). Shein has also been spurned by the U.S. retail industry’s largest trade group, into which it sought membership.
Shein’s cybersecurity protocols have previously come under fire. In October 2022, the New York Attorney General fined Shein, its affiliate Romwe, and parent company Zoetop for $1.9 million over its handling of a 2018 data breach in which 39 million Shein accounts and seven million Romwe accounts were stolen, including accounts for more than 800,000 New York residents.
“Data ownership and protecting against cybersecurity threats are absolutely essential in the context of global supply chains,” said Srini Cherukuri, vice president of IT infrastructure & chief information security officer at ITS Logistics. “Conducting due diligence of data security and privacy practices of everyone in the supply chain is crucial to protecting against cybersecurity attacks, mitigating impacts, and optimizing the recovery time of business operations.”
Shein’s dominance lies in the company’s hyper-flexible supply chain, according to a recent report from supply chain intelligence firm Zero100. It found that using over 5,400 nearby factories in Guangzhou for micro-batch production, the company is able to work with rapi design-to-delivery cycles, lower production costs, and minimize inventory risk. Led by founder Chris Xu’s deep knowledge of SEO and online marketing, Shein has also developed a data-driven approach to fuel its growth.
Integrating continuous, real-time AI data across its marketplace platform, Shein enables “dynamic demand-supply matching, data-driven trendspotting, and algorithmic supplier selection, with AI outputs feeding into subsequent models for comprehensive decision-making across the value chain,” Zero100 stated.
That supply chain efficiency is being hailed as a positive, but Ben Tzion said that smaller manufacturers and social media influencers should understand that China’s effort to push Shein as a logistics company “is an attempt to distance itself from the liabilities associated with its trade practices and push it on to smaller business owners.”
Using Shein for logistics also means giving up all control of their supply chain and followers. “It is a safe assumption to say using a third-party like Shein for manufacturing and production will give Shein complete access to all company information, as well as its consumers and followers’ shopping habits,” he said.
Logistics services tied to production of items like sneakers and apparel in Asia require multiple supply chain touchpoints.
“The average touch point for a sneaker and apparel is 5.6,” said Eric Fullerton, senior director of product marketing for supply chain research firm Project44. “These shipments on average use three out of four modes of transportation [ocean, rail, truck, air].”
According to Project44′s analysis, sneakers and apparel travel an average of 42% around the world during the manufacturing process. The average distance traveled from the factory to the distribution center is 9,630 miles. That is long enough to walk back and forth across the United States nearly four times. The average shipment travels through 8.4 states in the US.
“If you are an old school retailer, you don’t want to give your sales, inventory, geographic strategy to a fast fashion competitor that could make a knockoff product,” Fullerton said. “In a supply chain crisis, would Shein prioritize the supply chain fulfillment of a competitor or would they prioritize their own?
In a retail world of razor-thin margins, more organizations see supply chain efficiency as a way to win the battle of the purse strings. “Not only would Shein be able to knock off the product, but they would also be able to identify the region where it is selling and for how much,” Fullerton said. “This supply chain data would provide Shein with the ability to see a company’s distribution strategy.”
Amassing supply chain data makes sense for Shein from both financial and strategic standpoints, according to McNeal. “Purchasing this software provides Shein with an additional revenue stream, thereby strengthening its financial position and competitive edge in the market,” he said. In addition, using Shein’s supply chain services and software, foreign companies grant it access to their data. “This access enables Shein to enhance its AI and algorithmic models, leading to more efficient operations and better market intelligence for Shein,” McNeal said.
That may ultimately place firms at odds with a growing Asian retail and logistics giant. “This makes foreign firms vulnerable to over-reliance on a competitor, potentially compromising their own ability to harness and use their data and strengthen their supply chain and logistics operations.”
Shein’s rapid rise has led Amazon to deepen its own ties within China. CNBC recently learned that Amazon plans to launch a new section on its site dedicated to low-priced fashion and lifestyle items that will allow Chinese sellers to ship directly to U.S. consumers. In December, Amazon announced a new “innovation center” in Shenzhen, a popular technology and manufacturing hub, and it also slashed the fees it charges merchants selling clothing priced below $20.
Meanwhile, the U.S. government has a close eye on companies with ties to China and where supply chains or data relationships are a national security issue, Kair said. “The scrutiny on Shein by U.S. regulators and legislators is consistent with their supply chain and data security concerns of other companies such as TikTok, DJI drones, and manufacturers of cranes operated in U.S. ports.”
A Department of Transportation spokesperson referred CNBC to the Commerce Department and the National Security Council. A Department of Commerce spokesperson wrote in an email that it is, “committed to protecting U.S. information and communications technology supply chains. We will continue to proactively identify and mitigate vulnerabilities in the U.S. ICTS supply chain and safeguard our national security.”