Shopify discloses security incident caused by two rogue employees

Shopify said two rogue support staffers accessed customer transaction details for less than 200 stores.

Shopify

Image: Roberto Cortese

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

Online e-commerce giant Shopify is working with the FBI and other law enforcement agencies to investigate a security breach caused by two rogue employees.

The company said two members of its support team accessed and tried to obtain customer transaction details from Shopify shop owners (merchants).

Shopify estimated the number of stores that might be affected by the employees' actions at less than 200. The company boasted more than one million registered merchants in its latest quarterly filings.

The e-commerce giant said the incident is not the result of a vulnerability in its platform but the actions of rogue employees.

"We immediately terminated these individuals' access to our Shopify network and referred the incident to law enforcement," the company said in a prepared statement. "We are currently working with the FBI and other international agencies in their investigation of these criminal acts."

An investigation into the security breach is still in its early phases. Shopify promised to notify impacted merchants and customers as relevant.

The transaction data that the rogue employees might have gained access to includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased.

Shopify said payment card numbers or other sensitive personal or financial information was not included in the data the staffers could have accessed.

Another incident caused by malicious insiders

The incident disclosed by Shopify is the third incident of a "malicious insider" in the past month. Instacart and Tesla acknowledged similar incidents last month.

Instacart said two employees working for a company providing tech support services for Instacart shoppers "may have reviewed more shopper profiles than was necessary in their roles as support agents." The company had to notify 2,180 shoppers as a result of this breach.

A week after the Instacart incident, Tesla CEO Elon Musk also admitted that his company was targeted by a Russian cybercrime gang, which tried to recruit one of its US employees and have them install malware on the internal network of its super-factory located in Sparks, Nevada.

While the Instacart incident resulted in a breach for the company, the Tesla employee resisted recruitment efforts and reported the incident to Tesla and the authorities.