A breach at the popular e-commerce site Shopify was linked back to 2 “rogue” support team employees.
Shopify, a Canadian e-commerce website that lets anyone set up a free online store & sell their products is dealing with the repercussions of what sounds like an insider attack.
The company said Tues. that customers who shopped at fewer than 200 online stores on its platform may have had their data exposed after 2 of its employees attempted to steal transaction records.
The company disclosed the incident in a post to its forum, pinning the blame on “two rogue members of its support team.”
Employees
Says Shopify, the employees, who were unnamed – were engaged in a scam involving the theft of customer transaction records. While they did not elaborate on the details of the scam but stressed that it did not stem from a technical vulnerability in its platform. The incident put data like customers’ emails, names, & addresses, along with order details, like the names of products or services they purchased at risk.
It sounds like the employees were abusing the privileged access they were granted in order to do their day-to-day work. Shopify claims it suspended that access & referred the incident to the Federal Bureau of Investigation (FBI) & additional international agencies for further investigation.
GDPR
While names weren’t disclosed, the fact the company said it contacted international agencies suggests some shops abroad were impacted, & that if any were located in the European Union, that the service could run afoul of General Data Protection Regulation (GDPR) penalties.
While it is unclear what the intention of the employees was & if the data was even misused, the incident again helps illustrate the risks around insider threats.
$117 Billion
The news comes as Shopify finds itself suddenly worth $117 billion. While many industries have found themselves coping with ups & downs of the coronavirus pandemic, Shopify, which is based in Ottawa, has seen its business rise with many retailers forced to sell their wares online.
Unsecured or lax policies around privileged user access to resources, like customer databases, can lead to incidents like this. While a good deal of insider threats are caused by simple human mistakes, malicious insiders, like the employees here, can jeopardise sensitive data if there is not a solution in place to prevent misuse.