The rise of Asian fast fashion retailer Shein already has Amazon on alert, but its plans of selling proprietary supply-chain technology and services to companies around the world has attracted attention from another corner: U.S. cybersecurity firms and national security experts who warn of the potential for a company with close ties to China spying on the supply chain as it seeks to grow its global logistics footprint.<\/p>\n
Shein logistics software is in beta testing with select supply chain customers, according to a person familiar with its plans.<\/p>\n
The U.S. supply chain has millions of connection points that link companies of all sizes. What makes the connections hum are application programming interfaces, or APIs, used by companies to increase efficiencies and save money. API software allows applications to communicate with each other in real-time and is crucial to logistics companies to integrate with freight providers, streamline operations, and create efficiencies for providers in their supply chain and ultimately, the end customer.<\/p>\n
\u201cThe APIs in the logistics infrastructure are very interconnected, often without cybersecurity being contemplated,\u201d said Lee Kair, principal and head of the transportation and innovation practice at The Chertoff Group, who formerly served as a top official at the Transportation Security Administration.<\/p>\n
Cyber\u200b\u200bsecurity experts and policy analysts say the supply chain of vendors is constantly changing, and the potential to gain data access is as simple as identifying the weakest link in a company\u2019s data network. Typically, small companies have more vulnerable back-office systems, with weaker cyber protocols. \u201cThere is a tremendous amount of logistics integration in the world of fast fashion. These integrations can be compromised for nefarious purposes to expose customer data or compromise other connected systems,\u201d Kair said.<\/p>\n
According to data from Exiger, a supply chain intelligence intelligence company used by the U.S. government and critical infrastructure industries for risk management, there is a complex web of entities connected to Shein which indicates the <\/strong>company\u2019s supply chain is more expansive and complex than most people realize. <\/p>\n Exiger data shows that while Shein has 44 direct relationships, such as with its parent company Zoetop, and discloses over 5,000 suppliers, an analysis of all of its materials producers shows a supply chain connectivity map that expands substantially. In all, 10,821 companies comprise a supply chain one tier away from Shein. Drilling down deeper into that network of those Shein partners, it expands to 50,000-plus entities, including major U.S. companies, such as Forever 21, operated by Authentic Holdings and mall operator Simon Property Group \u2014 both of which announced formal partnerships with Shein last year focused on access to bricks-and-mortar retail.<\/p>\n Allowing Shein to embed its technology within U.S. supply chains could undermine the competitive landscape, violate regulatory standards, and introduce a host of risks, including cybersecurity, said Dewardric McNeal, managing director and senior policy analyst at Longview Global, who served as a policy expert on Asia for the Obama administration\u2019s Department of Defense.<\/p>\n \u201cGiven the intricate nature of the U.S. and global supply chains, the potential for espionage or data gathering is a significant risk,\u201d McNeal said. \u201cShein\u2019s software could provide unprecedented access to sensitive supply chain data, which the Chinese government could seize under its laws. This exposure poses a direct threat to U.S. supply chain integrity, making it vulnerable to exploitation and manipulation.\u201d<\/p>\n Shein has made moves to distance itself from Chinese affiliations. In 2022, Shein moved its headquarters from China to Singapore for regulatory and financial reasons. However, the company\u2019s supply chains and warehouses are still in China.<\/p>\n \u201cThe concern of any company with significant Chinese ownership and physical presence is the legal framework in China,\u201d Kair said. \u201cChinese law requires the company\u2019s cooperation in providing sensitive information related to U.S. citizens to the Chinese government. Even with a headquarters based in Singapore, company supply chain data could be subject to seizure by the Chinese. This is a clear vulnerability of U.S. customer data.\u201d<\/p>\n Kair referred to the moving of the company\u2019s headquarters from China to Singapore to ease regulatory scrutiny as another example of the practice known as \u201cSingapore washing.\u201d<\/p>\n There are certifications in place for companies to prove their information security controls meet accepted corporate standards, including a SOC2 Type II Report created by a third party auditing firm to examine a company\u2019s internal controls and how well they safeguard customer data \u2014 an audit that can take several months or more. The other primary certification is an ISO 27001 certification, which is the international industry standard for information security management systems, and its extension, ISO 27701 \u2014 both of which Shein says are among its implementation of industry standard controls to protect customers\u2019 data.<\/p>\n \u201cWe try to limit our data collection to the minimum amount of information necessary to process commercial transactions,\u201d Shein said in a statement to CNBC. \u201cWe have built systems in accordance with leading data protection frameworks such as the International Standards Organization\u2019s standard 27001 and 27701,\u201d it stated.<\/p>\n The International Standards Organization, which maintains ISO standards, explained by email that it does not carry out any certifications, which are issued independently of ISO by the various national and international certification bodies operating around the world. \u201cAs such, the ISO Central Secretariat doesn\u2019t have a database of these certifications,\u201d it wrote. Certified companies have an obligation to inform customers of the name of the organization having issued the certificate, and verification of certification should be addressed to that certification organization. CNBC searched the ISO\u2019s IAF CertSearch database to find a certificate for Shein or its parent company Zoetop, <\/strong>but no certificate validation was found.<\/p>\n Shein told CNBC that it has the relevant certifications from third-party auditors.<\/p>\n To allay national security concerns, Shein has set up data storage in respective markets. It stores U.S. customer data within Microsoft U.S.-based Azure cloud and AWS US-based cloud. In the EU, customer data is stored in Frankfurt, Germany. Payment data is not collected by the company in the U.S., but by American payment processing company, Worldpay, which is majority owned by public equity firm GTCR.<\/p>\n The data stored in China covers its industrial supplier management and digital merchant system, which facilitates the transactions from garment raw materials \u2014 ancillary materials like buttons, zippers \u2014 in moving the product in China.<\/p>\n Ram Ben Tzion, co-founder and CEO of Publican, a digital vetting platform for global trade, tells CNBC it is possible for Shein, and the Chinese government, to misuse supply chain and consumer data. He says the effort to raise Shein\u2019s profile as a global logistics provider is directly related to the intensifying economic battle between the U.S. and China. \u201cYou are now seeing this new business service being offered,\u201d said Ben Tzion.<\/p>\n \u201cPushing Shein as a logistics company is a response or retaliation to the U.S. tightening up everything outsourcing from China,\u201d he said. \u201cThis is a way for China to regain a hold on the global supply chain,\u201d he added, referring to the flow of trade away from China, and Chinese giants finding it difficult to raise capital in the U.S. market.<\/p>\n Shein\u2019s manufacturing and supply chain infrastructure has also presented legal issues for partners and political blowback in the U.S. related to the longstanding international issue of forced labor in China. The source familiar with Shein\u2019s operations said it is in compliance with policies from Social Accountability International, an NGO that sets strict international fair labor standards.<\/p>\n McNeal said there are significant concerns about Shein\u2019s supply chains being deeply intertwined with forced labor from Xinjiang Province in potential violation of the Uyghur Forced Labor Protection Act. \u201cSupporting a company with such links contradicts U.S. regulatory efforts and ethical standards and could increase scrutiny from the Department of Homeland Security\u2019s, Customs and Border Patrol and the UFLPA Entities List Office,\u201d he said. <\/p>\n Shein\u2019s planned U.S. IPO is considered \u201call but dead,\u201d with several powerful political figures in the nation\u2019s capital among those who sought to block it for reasons including its supply chain issues and use of trade loopholes (Shein is now pursuing a potential London listing instead). Shein has also been spurned by the U.S. retail industry\u2019s largest trade group, into which it sought membership.<\/p>\n Shein\u2019s cybersecurity protocols have previously come under fire. In October 2022, the New York Attorney General fined Shein, its affiliate Romwe, and parent company Zoetop for $1.9 million over its handling of a 2018 data breach in which 39 million Shein accounts and seven million Romwe accounts were stolen, including accounts for more than 800,000 New York residents. <\/p>\n \u201cData ownership and protecting against cybersecurity threats are absolutely essential in the context of global supply chains,\u201d said Srini Cherukuri, vice president of IT infrastructure & chief information security officer at ITS Logistics. \u201cConducting due diligence of data security and privacy practices of everyone in the supply chain is crucial to protecting against cybersecurity attacks, mitigating impacts, and optimizing the recovery time of business operations.\u201d<\/p>\n Shein\u2019s dominance lies in the company\u2019s hyper-flexible supply chain, according to a recent report from supply chain intelligence firm Zero100. It found that using over 5,400 nearby factories in Guangzhou for micro-batch production, the company is able to work with rapi design-to-delivery cycles, lower production costs, and minimize inventory risk. Led by founder Chris Xu\u2019s deep knowledge of SEO and online marketing, Shein has also developed a data-driven approach to fuel its growth.<\/p>\n Integrating continuous, real-time AI data across its marketplace platform, Shein enables \u201cdynamic demand-supply matching, data-driven trendspotting, and algorithmic supplier selection, with AI outputs feeding into subsequent models for comprehensive decision-making across the value chain,\u201d Zero100 stated.<\/p>\n That supply chain efficiency is being hailed as a positive, but Ben Tzion said that smaller manufacturers and social media influencers should understand that China\u2019s effort to push Shein as a logistics company \u201cis an attempt to distance itself from the liabilities associated with its trade practices and push it on to smaller business owners.\u201d<\/p>\n Using Shein for logistics also means giving up all control of their supply chain and followers. \u201cIt is a safe assumption to say using a third-party like Shein for manufacturing and production will give Shein complete access to all company information, as well as its consumers and followers\u2019 shopping habits,\u201d he said.<\/p>\n Logistics services tied to production of items like sneakers and apparel in Asia require multiple supply chain touchpoints.<\/p>\n \u201cThe average touch point for a sneaker and apparel is 5.6,\u201d said Eric Fullerton, senior director of product marketing for supply chain research firm Project44. \u201cThese shipments on average use three out of four modes of transportation [ocean, rail, truck, air].\u201d<\/p>\n According to Project44\u2032s analysis, sneakers and apparel travel an average of 42% around the world during the manufacturing process. The average distance traveled from the factory to the distribution center is 9,630 miles. That is long enough to walk back and forth across the United States nearly four times. The average shipment travels through 8.4 states in the US.<\/p>\n \u201cIf you are an old school retailer, you don\u2019t want to give your sales, inventory, geographic strategy to a fast fashion competitor that could make a knockoff product,\u201d Fullerton said. \u201cIn a supply chain crisis, would Shein prioritize the supply chain fulfillment of a competitor or would they prioritize their own?<\/p>\n In a retail world of razor-thin margins, more organizations see supply chain efficiency as a way to win the battle of the purse strings. \u201cNot only would Shein be able to knock off the product, but they would also be able to identify the region where it is selling and for how much,\u201d Fullerton said. \u201cThis supply chain data would provide Shein with the ability to see a company\u2019s distribution strategy.\u201d<\/p>\n Amassing supply chain data makes sense for Shein from both financial and strategic standpoints, according to McNeal. \u201cPurchasing this software provides Shein with an additional revenue stream, thereby strengthening its financial position and competitive edge in the market,\u201d he said. In addition, using Shein\u2019s supply chain services and software, foreign companies grant it access to their data. \u201cThis access enables Shein to enhance its AI and algorithmic models, leading to more efficient operations and better market intelligence for Shein,\u201d McNeal said.<\/p>\n That may ultimately place firms at odds with a growing Asian retail and logistics giant. \u201cThis makes foreign firms vulnerable to over-reliance on a competitor, potentially compromising their own ability to harness and use their data and strengthen their supply chain and logistics operations.\u201d<\/p>\n Shein\u2019s rapid rise has led Amazon to deepen its own ties within China. CNBC recently learned that Amazon plans to launch a new section on its site dedicated to low-priced fashion and lifestyle items that will allow Chinese sellers to ship directly to U.S. consumers. In December, Amazon announced a new \u201cinnovation center\u201d in Shenzhen, a popular technology and manufacturing hub, and it also slashed the fees it charges merchants selling clothing priced below $20.<\/p>\n Meanwhile, the U.S. government has a close eye on companies with ties to China and where supply chains or data relationships are a national security issue, Kair said. \u201cThe scrutiny on Shein by U.S. regulators and legislators is consistent with their supply chain and data security concerns of other companies such as TikTok, DJI drones, and manufacturers of cranes operated in U.S. ports.\u201d<\/p>\n A Department of Transportation spokesperson referred CNBC to the Commerce Department and the National Security Council. A Department of Commerce spokesperson wrote in an email that it is, \u201ccommitted to protecting U.S. information and communications technology supply chains. We will continue to proactively identify and mitigate vulnerabilities in the U.S. ICTS supply chain and safeguard our national security.\u201d<\/p>\n<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" The rise of Asian fast fashion retailer Shein already has Amazon on alert, but its plans of selling proprietary supply-chain technology and services to companies around the world has attracted attention from another corner: U.S. cybersecurity firms and national security experts who warn of the potential for a company with close ties to China spying <\/p>\n","protected":false},"author":1,"featured_media":4842,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"class_list":{"0":"post-4841","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business"},"_links":{"self":[{"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/posts\/4841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/comments?post=4841"}],"version-history":[{"count":0,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/posts\/4841\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/media\/4842"}],"wp:attachment":[{"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/media?parent=4841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/categories?post=4841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digitaltradecenter.com\/index.php\/wp-json\/wp\/v2\/tags?post=4841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}