Kylie Jenner's makeup company has warned customers that their information may have been compromised in a recently detected security incident at a Canadian e-commerce merchant.
Earlier this month, Shopify reported the theft, by members of its own support team, of transactional records belonging to up to 200 of the company's merchants. The incident, which is now under investigation by the FBI, involved two Shopify employees who no longer have access to the company's network.
Clients of Kylie Cosmetics have now been notified that their personal data may be among the information swiped by the two employees, whom Shopify has branded as "rogue."
Information impacted by the security incident included basic contact details such as email, name, and address, as well as order details, like products and services purchased.
An email sent by the 23-year-old billionaire's beauty business to its customers stated: "Your trust is so important to us and we wanted to let you know we're working diligently with Shopify to get additional information about this incident and their investigation and response to this matter."
An assurance given by Shopify to its merchants regarding future insider threats was passed on to Jenner's clientele.
"Shopify has assured us that they have implemented additional controls designed to help prevent this type of incident from recurring in the future," the cosmetics company told its customers.
Jenner launched the company three years ago, and it has flourished on the back of popular products like Kylie's "Lip Kit," which consists of a matching liquid lipstick and lip liner. Last year, Jenner sold most of her shares in the company for $600m.
Shopify was founded in 2006 and is used by over a million merchants around the world, including Tesla and Victoria Beckham.
“Insider threat is a very real issue that gets little attention," commented Lamar Bailey, senior director of security research at Tripwire.
"Support engineers are often an entry level job, so it is easier for someone to infiltrate the organization at this level.
"A bad actor looking to gain company data can easily use a fake identity to secure a job and then use this position as a launching point for gathering data to sell on the black market. It is imperative that organizations have security controls in place," Bailey said. "A stance of least privilege for everyone is the best policy."