Canadian e-ecommerce company Shopify disclosed an insider threat incident Tuesday, but questions remain about the attack and how it was discovered.
According to a Shopify forum post announcing the incident, “less than 200” of its merchants were impacted by a data breach scheme conducted by two insider threats employed at the company.
After launching an investigation and notifying affected merchants, the forum post explained that the company “determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants.”
“We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” the post read, adding that Shopify currently has no evidence that data was utilized as the investigation is still in the early stages.
While there is no current evidence data was utilized, the next paragraph of the disclosure notes that some customer data may have been exposed by stores that were illegitimately accessed, including “basic contact information, such as email, name, and address, as well as order details, like products and services purchased.” However, Shopify said that complete payment card information or “other sensitive personal or financial information” were not part of the incident.
In the company’s SOC 3 report for 2018-2019, which was verified by Ernst & Young auditors, Shopify asserts that “merchant and customer data is encrypted at rest and sensitive information is further encrypted at the application layer.” This would mean that despite merchant and customer data being encrypted at rest, two insider threats on the Shopify support team were able to access it.
Shopify has not shared how the activity was discovered, when it took place, when they put a stop to it or how the rogue support team members were able to potentially gain access to sensitive merchant and customers’ personally identifiable information.
Founded in 2006, Shopify is known for their online and retail e-commerce platform, as well as a host of services built to facilitate merchants opening their own online stores.
Shopify did not respond to SearchSecurity’s request for comment.
By: Alexander Culafi, News Writer