Shopify reports data breach by ‘rogue members’ of staff

25 Sep 2020

Image: © filins/Stock.adobe.com

Shopify said two support staff stole customer transaction data from less than 200 merchants.

E-commerce platform Shopify has issued a statement confirming a recent customer data breach. The company said that information from less than 200 merchants was accessed by two “rogue members” of its support team.

These staff members were engaged in a scheme to obtain customer transaction records from certain merchants, Shopify said. These records typically include names, home addresses, email addresses and details of orders, such as the products and services a customer paid for.

Shopify added that complete card numbers or “other sensitive personal or financial information” were not at risk. However, TechCrunch reported that the last four digits of customer cards were accessed and one merchant said that more than 4,900 customer records were accessed.

In an email notification to merchants, seen by TechCrunch, Shopify reportedly said that it first became aware of the data breach on 15 September. The incident involved the platform’s order APIs, which are used by merchants to process orders on behalf of their customers.

In its public statement, Shopify said it “immediately terminated” the employees’ access to the company’s network and reported the event to law enforcement. It said it is currently working with the FBI and other international agencies.

“While we do not have evidence of the data being utilised, we are in the early stages of the investigation and will be updating affected merchants as relevant,” the company said.

“This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected.”

The Canadian e-commerce business has seen a boost from retailers pivoting online during the pandemic. Shopify said revenue was up by 47pc year-on-year in the first fiscal quarter of 2020, while there was a 62pc increase in new shops created on its site between 13 March and 24 April compared to the six weeks prior.

Lisa Ardill was careers editor at Silicon Republic until June 2021

editorial@siliconrepublic.com