Shein’s Supply Chain Tech Could ‘Subvert US Interests,’ Senator Warns

Republican Senator Tom Cotton urged President Joe Biden this week to block Shein’s plans to sell its proprietary supply chain technology and services to U.S. companies, which he described as “potentially fraudulent” and likely to siphon data to the Chinese government.

In a July 10 letter that repeatedly misspells the name of the Chinese-founded but Singapore-headquartered e-tail giant, the Arkansas lawmaker called upon the Biden administration to “ensure that data from U.S. companies is not harvested by the Chinese Communist Party (CCP) through the purchase of Shein software and technology.”

More from Sourcing Journal

• EU Eyeing Import Duties That Would Stunt Shein, Temu

• As Air Cargo Demand Rises, Shein and Temu Put Upward Pressure on Rates

• Amazon to Launch Discount Marketplace in Latest Ploy Against Shein, Temu

“As a large fashion retailer, Shien [sic] has access to a vast array of customer and supply chain data,” Cotton wrote. “And as a Chinese company, Shien [sic] is subject to national security laws that requires compliance with any request from the CCP to access that data. Allowing Shein to promulgate its technology within the U.S. will increase the risk that the CCP will gather data from U.S. businesses and use it for nefarious purposes.”

Like social media platform TikTok before it, the fast-fashion juggernaut has attracted scrutiny for its perceived closeness with China, whose diplomatic relationship with the United States has become increasingly fraught amid the countries’ escalating economic rivalry, disagreements over human rights issues and national security concerns. Shein has been keen to put distance between itself and its Chinese origins, but that hasn’t stopped U.S. lawmakers from accusing the firm of using customs loopholes to avoid taxes and serve as a conduit for the modern-day enslavement of Muslim minorities from China’s Xinjiang Uyghur Autonomous Region—charges that the London IPO aspirant has repeatedly denied.

The same allegations have been leveled at Shein’s nemesis Temu, whose parent company, PDD Holdings, began in Shanghai before shifting its legal domicile to Dublin. Their circumstances have mirrored each other’s to an almost uncanny extent. Just last month, Arkansas Attorney General Tim Griffin filed a lawsuit against the “Shop Like a Billionaire” website for what he described as “deceptive trade practices,” such as the mining of sensitive customer data through its mobile app.

“Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end,” Griffin said. “Though it is known as an e-commerce platform, Temu is functionally malware and spyware.”

Shein pushed back at Cotton’s allegations, saying that it isn’t selling its software to third parties but rather fanning out its expertise to “increase efficiency and limit waste for other businesses making and selling clothes.” It also claimed that it has installed robust data security policies that limit data collection to technical information about design, manufacturing and information necessary to fulfill customer orders. All of this is stored within Microsoft’s U.S.-based Azure cloud-based solution.

“We’re proud of our on-demand business model, which matches demand with supply while dramatically reducing inventory waste, allowing us to produce the merchandise customers want when they want it,” a spokesperson said. “Expanding this offering to more artists, designers and brands through Shein’s ecosystem of supplier partners is an exciting opportunity to scale an existing and proven capability that has operated successfully and safely for years.”

Cotton, who previously sparred with TikTok over its alleged Chinese influence and potential for spying, claims, however, that Shein’s logistics technology could deliver to the CCP a “vast trove” of data about global and U.S. supply chain, as well as details about U.S. citizens.

Shein has found itself at the center of a cybersecurity imbroglio before. In 2022, New York State fined its then-parent Zoetop Business Company $1.9 million for failing to “properly handle” a data breach that stole the personal information of tens of millions of customers and then misrepresenting the extent of the attack in conversations with customers and in public.

“As we’ve seen with companies such as LOGINK in U.S. ports and TikTok, any amount of CCP access to U.S. data poses a national security risk,” Cotton said. “The CCP would almost certainly use that data to subvert U.S. interests. This is unacceptable.”