Shopify- the Ottawa based Canadian multinational e-commerce giant informed the company’s privacy commissioner about the recent data breach and also added that the breach was carried out by two "rogue" employees.
While confirming the data breach, Shopify informed that two rogue employees which were a part of the Company’s customer support team stole at least 100 merchants’ customer data. Since the breach did not occur due to any technical glitch, the data of most merchants was safe. The stolen information includes basic details such as names and email addresses and also the data about what products they purchased, but it did not include financial information such as credit card or banking details.
Shopify in a blog stated that they have launched an investigation to identify the issue and impact so that they could take action and notify the affected merchants. The two rogue members of their support team were engaged in a scheme to obtain customer transactional records of certain merchants. Reports have suggested that both the employees were fired. The data which was stolen included customers' names, their postal addresses, and order details of about 200 merchants. Shopify has also said that the two individuals' access to the Shopify network has been blocked and their case has been handed over to the FBI and the Ottawa-based company said that "We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant." A spokesperson of Shopify gave a statement that read as follows: We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product. Email notification of Shopify was shared with TechCrunch by a merchant who stated that the company had become aware of the breach on September 15. However, the company did not publish the exact amount of people affected by the theft of data from merchants, but the email sent by Shopify contained the specific number of customer records taken in the breach. In the case of merchants, it was more than 1.3 million customer records and from that, over 4,900 were accessed.