E-commerce platform provider Shopify on Tuesday confirmed that two employees of its support staff were accessing customer information without authorization.
“Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants.” reads the Shopify announcement.
“Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement.”
The duo abused their permissions to access data related to transactions a number of merchants that are estimated to be less of 200.
The company already notified all the impacted merchants and fired the two employees.
Data accessed by the two rogue employees without authorization included name, email address, physical address, and order details (e.g. products and services purchased). The company confirmed that financial information were not impacted.
Law enforcement is currently investigating into the incident.
“We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant,” continues the company.
The company is not aware of the illegal use of the accessed data, it pointed out that the incident was not the result of a security vulnerability in its platform.
“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify.”the company concludes. “We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product,”
This incident confirms that insider threats are hard to discover and the effects of their operations could be serious for the organization.
(SecurityAffairs – hacking, Shopify)