[BreachExchange] Shopify discloses security incident caused by two rogue employees

[Destry Winant]

https://www.zdnet.com/article/shopify-discloses-security-incident-caused-by-two-rogue-employees/

Online e-commerce giant Shopify is working with the FBI and other law
enforcement agencies to investigate a security breach caused by two
rogue employees.

The company said two members of its support team accessed and tried to
obtain customer transaction details from Shopify shop owners
(merchants).

Shopify estimated the number of stores that might be affected by the
employees' actions at less than 200. The company boasted more than one
million registered merchants in its latest quarterly filings.

The e-commerce giant said the incident is not the result of a
vulnerability in its platform but the actions of rogue employees.

"We immediately terminated these individuals' access to our Shopify
network and referred the incident to law enforcement," the company
said in a prepared statement. "We are currently working with the FBI
and other international agencies in their investigation of these
criminal acts."

An investigation into the security breach is still in its early
phases. Shopify promised to notify impacted merchants and customers as
relevant.

The transaction data that the rogue employees might have gained access
to includes basic contact information, such as email, name, and
address, as well as order details, like products and services
purchased.

Get multiple layers of protection for your Cyber Safety. Don’t wait!
Multi-layered, advanced security helps protect your private and
financial information when you go online.
Sponsored by Norton LifeLock

Shopify said payment card numbers or other sensitive personal or
financial information was not included in the data the staffers could
have accessed.

ANOTHER INCIDENT CAUSED BY MALICIOUS INSIDERS

The incident disclosed by Shopify is the third incident of a
"malicious insider" in the past month. Instacart and Tesla
acknowledged similar incidents last month.

Instacart said two employees working for a company providing tech
support services for Instacart shoppers "may have reviewed more
shopper profiles than was necessary in their roles as support agents."
The company had to notify 2,180 shoppers as a result of this breach.

A week after the Instacart incident, Tesla CEO Elon Musk also admitted
that his company was targeted by a Russian cybercrime gang, which
tried to recruit one of its US employees and have them install malware
on the internal network of its super-factory located in Sparks,
Nevada.

While the Instacart incident resulted in a breach for the company, the
Tesla employee resisted recruitment efforts and reported the incident
to Tesla and authorities.