- Aug 17, 2014
Canadian e-commerce merchant Shopify has reported that it detected an ongoing insider threat case.
In a statement, Shopify said it had become aware of an incident involving the data of fewer than 200 merchants, and its investigation “determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants.”
Upon discovery, Shopify immediately terminated the individuals’ access to the Shopify network and referred the incident to law enforcement. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” it said. “While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”
Shopify said the incident was not caused by a technical vulnerability in the platform, and some stores may have had customer data exposed. “This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”
Shopify said it does not take these events lightly, and “we have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”