E-commerce platform Shopify detected a security incident affecting less than 200 merchants. In an official statement released on its website, the company identified “two rogue members of [its] support team.”
According to the statement, the two offending insiders were operating a scheme that involves acquiring customer transaction records from affected merchants.
The perpetrators have customer information such as contact details, name, address, and order info. No payment credentials were involved in the scheme. Upon learning of this incident, the company promptly removed their access to such data.
Infosecurity Magazine spoke with security expert Lisa Forte from Red Goat Cyber Security LLP to know the potential damage of the incident on Shopify. Forte noted that it is known to be dangerous as they have authorized access to data, compared to external parties.
The platform has also conducted an investigation of its impact and reported the illegal activity to the appropriate authorities including the Federal Bureau of Investigation and other global agencies.
Regarding concerns of the data being used illegally, Shopify said that it “[does] not have evidence of the data being utilized.”
Shopify has been communicating with merchants who have been confirmed to be affected. Nevertheless, the firm is still assessing the extent of the incident and will be sending updates to affected users.
While Forte noted that such incidents are rare, they are “hugely damaging from a reputational standpoint” more than other types of attacks. The expert praised Shopify for its immediate and transparent action.
In an attempt to understand the motivation of the attackers, Forte said that the attackers could fall under one of three classifications namely fraud, sabotage, and theft. They also tend to work with a colleague. In Shopify’s case, the two customer support staff were working together.
The company clarified that the incident “was not the result of a technical vulnerability” in its platform. It also assured users that it has “zero tolerance for platform abuse and will take action to preserve the confidence of [its] community and the integrity of [its] product.”
It also expressed its dedication to protecting its platforms, merchants, and customers. Regarding the platform’s action, BH Consulting CEO Brian Honan praised Shopify in light of its ability to identify the breach. It also deserves credit for its actions and transparency.
Shopify is only one of a number of companies that suffered from insider threats.