Ottawa-based e-commerce tech giant Shopify revealed two ‘rogue’ employees stole merchant and customer data from its online and retail POS platform. This is definitely not good news for IT managers at e-commerce businesses that already got their hands full staving off cyberattacks on digital storefronts. Â
Just a month after Instacart notifiedOpens a new window the public of two employees who inappropriately accessed shopper information, another e-commerce company has apprised users about a security incident that exposed information of “less than 200 merchants.†Two rogue support team members of Shopify gained access to customer transactional records of merchants.Â
The Canadian e-commerce company notified the FBI and other international agencies to investigate the full extent of the breach, although they said they have no evidence that the data is being misused. Shopify also notified the insider theft to all affected parties.Â
Exposed merchant/store data may include contact information (email, name, address), as well as order information (products and services purchased). “This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected,†the company stated in a blog postOpens a new window . Over a million merchants are registered on the Shopify platform. Sensitive personal or financial information remained unaffected.
Jake Moore, Cybersecurity Specialist at ESET told Infosecurity MagazineOpens a new window , “Insider threats are a constant risk that businesses have always had to take a chance with. However, an increase in remote working – alongside the consequent factor of new employees never physically meeting their employers – accelerates the risks, meaning that insider attacks may become more prevalent than ever.â€
Another insider threat incident that made headlines recently was an attempted ransomware attack on Tesla’s Nevada Gigafactory, where the Russian threat actor allegedly offered a Tesla employee $1 million to cripple its network with malware. It failed.
See Also: Tesla Avoids Russian Cyberattack on Nevada Gigafactory
Despite the smaller scale of the breach which affected less than 200 Shopify merchants, and the company’s co-operation and transparency, Shopify stocks plunged by just over 3.5% in day’s trade on September 22, the day Shopify disclosedOpens a new window the insider breach. However, the actual incident took place on September 15, according to an email sent by cosmetics retailer 100% Pure on Shopify platform.Â
BloombergOpens a new window obtained the email sent by Ric Kostick, Chief Executive Officer of 100% Pure, which read: “We deeply value the trust of our customers and we are sorry that this incident has questioned it. Our top priority right now is to ensure that the safety and security of their data are protected. We are carefully evaluating the extent of this incident with Shopify and will take all necessary and immediate actions to prevent this from happening again.â€
Consequently, Shopify has terminated the network access of the two individuals. According to Shopify, “We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.â€
Did you like this news? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!