Shopify has blamed two of its support team members for stealing customer data from less than 200 merchants.
The world’s leading e-commerce platform Shopify confirmed suffering a data breach. The company confirmed the breach in a blog post and revealed shocking details of who caused it.
The company claims that two ‘rogue members’ of its support staff were responsible for stealing customer data from at least 200 merchants. Both employees were immediately fired for conspiring against Shopify to “obtain customer transactional records of certain merchants.”
The incident should not come as a surprise as insider threat is nothing new yet one of the most dangerous ones due to the fact that it originates from within the organization. A few days ago it was reported that an ex-employee not only hacked Cisco’s AWS infrastructure and also erased virtual machines
Shopify, on the other hand, caters to over one million businesses worldwide, and naturally, the data breach has profoundly affected sellers and customers globally.
Although it hasn’t released any official statement regarding the incident, the company has clarified that the incident wasn’t a result of a technical glitch or security vulnerability.
“The vast majority of merchants using Shopify are not affected”, Shopify claimed in a blog post.
The rogue workers accessed transaction records, including names, emails, order details, and postal addresses. However, they couldn’t access financial data except for the last four digits of payment cards.
Shopify immediately contacted the FBI, and a criminal investigation is currently underway. Some of Shopify’s merchants include world-famous cosmetic brands like Kylie Cosmetics and 100%Pure.
Shopify stated that there is no indication of data abuse, but it has informed affected sellers about the data breach.
According to the email notification that Shopify sent to its affected customers, the breach occurred on Sep 15. The two employees obtained information accessible via Shopify’s Order API, which allows sellers to process orders on behalf of their clients/customers.
Kylie Cosmetics, owned by Kylie Jenner, confirmed receiving the email notification about the “security incident” and promptly notified its customers about the data loss. The company noted that:
“Shopify has assured us that customers’ full payment card details (full card number, card expiration date, and security code) were not compromised in the incident.”
Furthermore, Kylie Cosmetics reinstated that its customers’ trust is most important, and therefore, it is trying to be as forthcoming as possible and ‘diligently’ working with Shopify to get more information.
Shopify hasn’t revealed the exact number of end customers affected by the data breach. However, the email did mention the specific number of customer records stolen in the data breach, which, according to TechCrunch, in one merchant’s case, was over 1.3m records, out of which around 4,900 were accessed.