The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Shopify Acknowledges Insider Breach of 200 Stores

by Chris Brook on Wednesday September 23, 2020

Contact Us
Free Demo
Chat

A breach at the popular e-commerce site was linked back to two "rogue" support team employees.

Shopify, a Canadian e-commerce website that lets anyone set up a free online store and sell their products is grappling with the repercussions of what sounds like a meddlesome insider attack.

The company said Tuesday that customers who shopped at fewer than 200 online stores on its platform may have had their data exposed after two of its employees attempted to steal transaction records.

The company disclosed the incident in a post to its forum, pinning the blame on "two rogue members of [its] support team."

According to Shopify, the employees - who weren't named - were engaged in a scam involving the theft of customer transaction records. While the service didn't elaborate on the details of the scam but stressed that it didn’t stem from a technical vulnerability in its platform. Still, the incident put data like customers' emails, names, and addresses, along with order details, like the names of products or services they purchased at risk.

Judging by the description, it sounds like the employees were abusing the privileged access they were granted in order to do their day-to-day work. Shopify claims it suspended that access and referred the incident to the Federal Bureau of Investigation and additional international agencies for further investigation.

While merchant names weren’t disclosed, the fact the company said it contacted international agencies suggests some shops abroad were impacted and that if any were located in the European Union, that the service could run afoul of General Data Protection Regulation (GDPR) penalties.

While it's unclear what the intention of the employees was and if the data was even misused, the incident again helps illustrate the risks around insider threats.

The news comes as Shopify finds itself suddenly worth $117 billion. While many industries have found themselves coping with ups and downs of the coronavirus pandemic, Shopify, which is based in Ottawa, has seen its business rise with many retailers forced to sell their wares online.

Unsecured or lax policies around privileged user access to resources, like customer databases, can lead to incidents like this. While a good deal of insider threats are caused by simple human mistakes, malicious insiders, like the employees here, can jeopardize sensitive data if there isn't a solution in place to prevent misuse.

Tags: Data Breach, Insider Threat

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.