Shein, Amazon's Asian rival, aims to become a supply chain giant, but concerns about Chinese cyber spying in global trade links persist.

• Shein intends to market supply chain technology globally, but concerns are mounting that confidential logistics and customer data pertaining to U.S. citizens may be captured by the Chinese government.
• In the U.S., Shein has already faced criticism for its connections to China and its unsuccessful IPO listing attempt.
• In 2022, Shein relocated its corporate headquarters from China to Singapore, where TikTok is headquartered, in an effort to reduce regulatory oversight, a practice that has been criticized as "Singapore washing."

U.S. cybersecurity firms and national security experts are warning of the potential for a company with close ties to China, such as Shein, to spy on the supply chain as it seeks to grow its global logistics footprint.

A select group of supply chain customers are currently testing Shein logistics software in its beta phase, according to a source.

The U.S. supply chain is made up of millions of connection points that link companies of all sizes. The connections work smoothly thanks to application programming interfaces (APIs), which enable companies to increase efficiencies and save money. API software allows applications to communicate with each other in real-time, making it essential for logistics companies to integrate with freight providers, streamline operations, and create efficiencies for providers in their supply chain and ultimately, the end customer.

Lee Kair, principal and head of the transportation and innovation practice at The Chertoff Group, stated that the APIs in the logistics infrastructure are highly interconnected, often without cybersecurity being considered, as he previously served as a top official at the Transportation Security Administration.

Cybersecurity experts and policy analysts warn that the supply chain of vendors is constantly evolving, and gaining access to sensitive data is as easy as identifying the weakest link in a company's data network. Small companies are particularly vulnerable due to weaker cyber protocols in their back-office systems. "The fast fashion industry is heavily reliant on logistics integration, which can be exploited for malicious purposes to expose customer data or compromise other connected systems," Kair stated.

Shein's supply chain is more intricate and extensive than most people believe, according to data from Exiger, a supply chain intelligence company used by the U.S. government and critical infrastructure industries for risk management.

According to Exiger data, although Shein has 44 direct relationships and discloses over 5,000 suppliers, a supply chain connectivity map analysis shows that the number of companies in its one-tier network is significantly higher. In total, 10,821 companies are part of Shein's supply chain. When drilling down deeper into Shein's network of partners, it expands to over 50,000 entities, including major U.S. companies such as Forever 21, operated by Authentic Holdings, and Simon Property Group, which announced formal partnerships with Shein last year focused on access to bricks-and-mortar retail.

Dewardric McNeal, managing director and senior policy analyst at Longview Global, who served as a policy expert on Asia for the Obama administration's Department of Defense, stated that allowing Shein to embed its technology within U.S. supply chains could pose risks, including cybersecurity, and potentially undermine the competitive landscape and violate regulatory standards.

"The potential for espionage or data gathering is a significant risk due to the intricate nature of the U.S. and global supply chains, as McNeal stated. Shein's software could provide unprecedented access to sensitive supply chain data, which the Chinese government could seize under its laws. This exposure poses a direct threat to U.S. supply chain integrity, making it vulnerable to exploitation and manipulation."

Shein has shifted its headquarters from China to Singapore in 2022 for regulatory and financial reasons, but its supply chains and warehouses remain in China.

"The legal framework in China poses a concern for companies with significant Chinese ownership and physical presence, as they are required to provide sensitive information related to U.S. citizens to the Chinese government. Even if the company has a headquarters in Singapore, its supply chain data could be subject to seizure by the Chinese, making U.S. customer data vulnerable."

Another instance of "Singapore washing" is the relocation of a company's headquarters from China to Singapore to avoid regulatory oversight.

There are certifications available for companies to demonstrate their information security controls adhere to industry standards. One such certification is a SOC2 Type II Report, which is created by an auditing firm to assess a company's internal controls and their effectiveness in safeguarding customer data. This audit can take several months or more. Another primary certification is an ISO 27001 certification, which is the international standard for information security management systems, and its extension, ISO 27701. Shein states that these certifications are part of their implementation of industry-standard controls to protect customers' data.

Shein stated in a CNBC interview that they collect only the minimum amount of data required for commercial transactions and have implemented systems in line with leading data protection frameworks, including ISO 27001 and 27701.

The International Standards Organization (ISO) clarified via email that it does not conduct any certifications, which are issued by various national and international certification bodies worldwide. As a result, the ISO Central Secretariat does not maintain a database of these certifications. Certified companies must inform customers of the issuing organization and any verification of certification should be directed to that certification body. CNBC searched the ISO's IAF CertSearch database for a certificate for Shein or its parent company Zoetop, but no certificate validation was found.

Shein told CNBC that it has the relevant certifications from third-party auditors.

Storing sensitive data locally

To address national security concerns, Shein has established data storage facilities in various markets. In the U.S., customer data is stored in Microsoft's U.S.-based Azure cloud and AWS's US-based cloud. In the EU, customer data is kept in Frankfurt, Germany. While Shein does not collect payment data in the U.S., it is processed by Worldpay, a majority-owned public equity firm GTCR-owned American payment processing company.

The industrial supplier management and digital merchant system in China enable transactions for garment raw materials and ancillary materials like buttons and zippers, streamlining the product movement process within the country.

Ram Ben Tzion, CEO of Publican, a digital vetting platform for global trade, warns CNBC that Shein and the Chinese government could misuse supply chain and consumer data. He explains that the push to promote Shein as a global logistics provider is linked to the escalating economic conflict between the U.S. and China. "This new business service is being marketed," said Ben Tzion.

The tightening of outsourcing from China by the U.S. has prompted China to push Shein as a logistics company in order to regain control over the global supply chain and overcome the challenges faced by Chinese giants in raising capital in the U.S. market, according to the speaker.

The longstanding international issue of forced labor in China has resulted in legal issues for Shein's partners and political blowback in the U.S. However, a source familiar with Shein's operations stated that the company is in compliance with policies from Social Accountability International, an NGO that sets strict international fair labor standards.

McNeal stated that there are significant concerns about Shein's supply chains being deeply intertwined with forced labor from Xinjiang Province, which may violate the Uyghur Forced Labor Protection Act. He emphasized that supporting such a company contradicts U.S. regulatory efforts and ethical standards and could increase scrutiny from the Department of Homeland Security's, Customs and Border Patrol, and the UFLPA Entities List Office.

Shein's planned U.S. IPO is considered "all but dead," with several powerful political figures in the nation's capital among those who sought to block it for reasons including its supply chain issues and use of trade loopholes. As a result, Shein is now pursuing a potential London listing instead. Additionally, Shein has been spurned by the U.S. retail industry's largest trade group, into which it sought membership.

In October 2022, Shein, Romwe, and its parent company Zoetop were fined $1.9 million by the New York Attorney General for their handling of a 2018 data breach that resulted in the theft of 39 million Shein accounts and seven million Romwe accounts, including accounts for over 800,000 New York residents.

"Protecting against cybersecurity threats and ensuring data ownership are crucial in global supply chains, according to Srini Cherukuri, vice president of IT infrastructure & chief information security officer at ITS Logistics. Conducting due diligence on data security and privacy practices of all supply chain partners is essential to prevent cyber attacks, minimize their impact, and optimize the recovery time of business operations."

Shein's fast rise to dominance

Shein's success can be attributed to its highly adaptable supply chain, which utilizes over 5,400 nearby factories in Guangzhou for micro-batch production, resulting in rapid design-to-delivery cycles, lower production costs, and reduced inventory risk, according to a recent report from supply chain intelligence firm Zero100. Additionally, the company's growth is driven by founder Chris Xu's expertise in SEO and online marketing, as well as a data-driven approach.

Shein's marketplace platform integrates continuous, real-time AI data to facilitate "dynamic demand-supply matching, data-driven trendspotting, and algorithmic supplier selection, with AI outputs feeding into subsequent models for comprehensive decision-making across the value chain," according to Zero100.

Ben Tzion warned that China's push for Shein as a logistics company is an attempt to distance itself from the liabilities associated with its trade practices and push them onto smaller business owners.

"Giving up control of the supply chain and followers by using a third-party like Shein for manufacturing and production will grant Shein complete access to all company information, as well as its consumers and followers' shopping habits," he stated.

Fast fashion's trip from manufacturing to market

The production of items like sneakers and apparel in Asia necessitates logistics services with multiple supply chain touchpoints.

"According to Eric Fullerton, senior director of product marketing for supply chain research firm Project44, the average touch point for a sneaker and apparel is 5.6. On average, these shipments utilize three out of the four modes of transportation, including ocean, rail, truck, and air."

Sneakers and apparel travel an average of 42% around the world during the manufacturing process. The average distance traveled from the factory to the distribution center is 9,630 miles, which is long enough to walk back and forth across the United States nearly four times. On average, a shipment travels through 8.4 states in the US.

If you are a traditional retailer, you wouldn't want to share your sales, inventory, and geographic strategy with a fast fashion competitor who could create a counterfeit product," Fullerton stated. "In the event of a supply chain crisis, would Shein prioritize the fulfillment of a competitor's supply chain or their own?

In the retail industry, where profit margins are tight, many organizations view supply chain efficiency as a key to success. As Fullerton stated, "Shein would not only be able to replicate the product, but they would also be able to determine the region where it is being sold and for what price. This supply chain data would enable Shein to understand a company's distribution strategy."

Risky reliance on China

According to McNeal, it makes financial and strategic sense for Shein to gather supply chain data. By purchasing software, Shein can generate an additional revenue stream, thereby improving its financial position and market edge. Moreover, by using Shein's supply chain services and software, foreign companies grant it access to their data. This access allows Shein to improve its AI and algorithmic models, resulting in more efficient operations and better market intelligence.

Over-reliance on a competitor can make foreign firms vulnerable to compromise their own ability to harness and use their data and strengthen their supply chain and logistics operations, potentially placing them at odds with a growing Asian retail and logistics giant.

Amazon has recently announced plans to launch a new section on its website dedicated to low-priced fashion and lifestyle items that will allow Chinese sellers to ship directly to U.S. consumers. Additionally, in December, Amazon announced a new "innovation center" in Shenzhen and slashed the fees it charges merchants selling clothing priced below $20.

The scrutiny on Shein by U.S. regulators and legislators is consistent with their supply chain and data security concerns for other companies such as TikTok, DJI drones, and manufacturers of cranes operated in U.S. ports, according to Kair.

The Department of Commerce spokesperson wrote in an email that they are committed to protecting U.S. information and communications technology supply chains. They will continue to proactively identify and mitigate vulnerabilities in the U.S. ICTS supply chain and safeguard our national security.