Shopify yet to inform federal privacy commissioner of breach involving 'rogue' staff

Andrew Cummings
September 26, 2020

"We are now working with the FBI and other global agencies in their investigation of these criminal acts", the company said.

Shopify says it has terminated two "rogue" employees who were involved in a scheme to steal customer information from some of the company's merchants.

The information that may have been accessed by the two employees include names, email addresses and mailing address, as well as order details - such as products and services purchased, the company says.

"Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data", Torsten George, cybersecurity evangelist for Centrify, said in a statement to Chain Store Age. "While we do not have evidence of data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant", the company said.

Customer transaction records from some of the merchants were obtained by hackers on September 15, according to an email sent to customers by 100% Pure, a cosmetics retailer that uses the Shopify platform. Over 1 million merchants, including boutique shops and well-known brands, use the platform across the globe. Shopify was working with the Federal Bureau of Investigation and other worldwide crime agencies, it said.

Shopify has reported a security incident where two of its rouge employees from the support department have accessed PII of few stores.

Shopify says in the post that it terminated the employees' access to its network, referred the incident to law enforcement and will work with the FBI to investigate further. Nor did the company reveal the merchants involved, a timeframe of the incident or how numerous merchants' customers had data compromised.

Other reports by iNewsToday