Shopify, a Canadian e-commerce website that lets anyone set up a free online store and sell their products is grappling with the repercussions of what sounds like a meddlesome insider attack.
The company said Tuesday that customers who shopped at fewer than 200 online stores on its platform may have had their data exposed after two of its employees attempted to steal transaction records.
The company disclosed the incident in a post to its forum, pinning the blame on "two rogue members of [its] support team."
According to Shopify, the employees - who weren't named - were engaged in a scam involving the theft of customer transaction records. While the service didn't elaborate on the details of the scam but stressed that it didn’t stem from a technical vulnerability in its platform. Still, the incident put data like customers' emails, names, and addresses, along with order details, like the names of products or services they purchased at risk.
Judging by the description, it sounds like the employees were abusing the privileged access they were granted in order to do their day-to-day work. Shopify claims it suspended that access and referred the incident to the Federal Bureau of Investigation and additional international agencies for further investigation.
While merchant names weren’t disclosed, the fact the company said it contacted international agencies suggests some shops abroad were impacted and that if any were located in the European Union, that the service could run afoul of General Data Protection Regulation (GDPR) penalties.
While it's unclear what the intention of the employees was and if the data was even misused, the incident again helps illustrate the risks around insider threats.
The news comes as Shopify finds itself suddenly worth $117 billion. While many industries have found themselves coping with ups and downs of the coronavirus pandemic, Shopify, which is based in Ottawa, has seen its business rise with many retailers forced to sell their wares online.
Unsecured or lax policies around privileged user access to resources, like customer databases, can lead to incidents like this. While a good deal of insider threats are caused by simple human mistakes, malicious insiders, like the employees here, can jeopardize sensitive data if there isn't a solution in place to prevent misuse.
