When Shopify, the second largest e-commerce platform in the United States, acknowledged a breach of 200 e-stores last fall, it had all the hallmarks of an insider threat.
The breach stemmed from actions taken by what the company called at the time two "rogue members" of its support team. The two employees worked in concert to steal transaction records, data like customer emails, names, addresses, and orders. At the time it wasn’t clear what the intention of the now former employees was and if the data was even misused. Now the scope of the breach has come a bit more into focus.
According to an indictment filed this winter but recently made public, the breach was masterminded by an individual who was just 18 years old at the time. The Department of Justice charged Tassilo Heinrich, a resident of Orange County, California in February with aggravated identity theft and conspiracy to commit wire fraud in connection to the incident.
Because of the indictment we know that the goal of the scam was to gain a competitive edge and take business away from the merchants who they targeted.
According to the document, Heinrich worked with two co-conspirators who worked for a third-party contractor that serviced the company, one was based in Portugal, the other in the Philippines. The indictment makes a point to note that the workers had permission to access its internal network to carry out customer service but that they weren't authorized to access the network for any other purpose.
Of course, that's just what they did.
Under Heinrich's direction, one co-conspirator stole merchant and customer data by taking screenshots of the data or uploading it to Google Drive. As we learned last fall, that information included customer names, billing and shipping addresses, email addresses, items they purchased and how they paid. With the data, Heinrich and the other co-conspirator set up their own merchant pages, similar to the ones they exploited in the first place to divert business away from them.
While Shopify didn't post a timeline around the incident, the indictment notes that Heinrich communicated back and forth with the first co-conspirator for months beginning on May 14, 2019. One of Heinrich’s first messages to him said they'd make a lot of money if they didn't get caught.
From there, they slowly stole data, eventually entering into a cadence in which the co-conspirator sent Google Drive links to stolen data in exchange for cryptocurrency payments and positive reviews for the merchant pages Heinrich and the second co-conspirator set up.
The length of intrusions varied from shop to shop.
One of the victims, Kylie Jenner's makeup line, Kylie Cosmetics, posted that a breach affected its platform from August 15 to September 15, 2020, meaning Heinrich’s partners were inside their systems taking data for at least a month.
All said, Heinrich at one point possessed on a hard drive 3,000 files of stolen data related to merchants who used Shopify's platform, according to the court filing.
In September, shortly after news of the breach went public - a member of Shopify's staff posted about the incident on its forum - the first co-conspirator told Heinrich and the two deleted the accounts they were using to communicate. While it's not known how Shopify became aware of the incident, things clearly went south from there.
It’s unclear, at least judging by the US grand jury indictment, whether there were any mitigations in place by the company to prevent the exfiltration of data like email addresses, names, and screen captures.
At one point Heinrich asked the co-conspirator if his employer would notice his malfeasance; the co-conspirator replied that he was "good in ninja moves" and that he could take steps to prevent being caught, like lowering the brightness on his computer screen, suggesting the only barrier to data theft was physical surveillance in the office.
There’s no mention of what the impact of the coronavirus (COVID-19) pandemic had on the Heinrich’s plan but if there were no technical stopgaps in place, it likely made it that much easier for his co-conspirators to carry out the data theft.