Rogue Shopify Staff Accessed Customer Records, Says Ecommerce Platform Investigating Security Breach

• Members of Shopify’s support team abused access to company network
• Customer contact information and order details accessed
• FBI and international law enforcement agencies are investigating

Shopify, the major ecommerce platform which powers many online stores, has revealed that it suffered a serious breach of security at the hands of two rogue employees.

According to a statement released by the firm, two unnamed members of Shopify’s support team abused their access to the company’s systems in order to access customer transaction details from approximately 200 merchants running online stores.

Customer data which may have been exposed includes:

• Contact information (such as email address, name, and postal address)
• Order details, including which products and services may have been purchased.

Thankfully, Shopify says that “complete payment card numbers or other sensitive personal or financial information were not part of this incident.”

That type of information would clearly have increased the severity of the breach, but that’s not to say that there’s no harm in the data which has been exposed.

After all, scammers could exploit contact information and purchase details to craft convincing phishing emails that might attempt to steal users’ passwords or payment information.

In addition, it’s clear that things could have been much worse in terms of scale as well. Shopify boasts of being used by more than one million businesses in 175 different countries, and is considered the third-largest online retailer in the United States after Amazon and eBay.

Ideally no merchants being impacted by the breach would have been the best result of all – but fewer than 200 out of one million suggests that Shopify were able to take action before things escalated to a disastrous level.

Shopify says that upon discovering the breach terminated the individuals’ network access and informed law enforcement agencies. It also says that it is contacting affected merchants to notify them of the incident.

Of course, the “insider threat” posed by malicious employees is one of the biggest potential threats that any company can face. Rogue staff are not the same as malicious remote hackers – they have been granted legitimate access to a network, given passwords, and have access to systems which may not arouse suspicion unless there is out-of-the-norm behaviour which rings alarm bells.

In its statement Shopify reassured merchants and their customers that it treats security as a priority:

“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don”t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”

“To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.”