Shopify Insiders Attempted to Steal Customer Transactional Records

Canadian e-commerce merchant Shopify has reported that it detected an ongoing insider threat case.

In a statement, Shopify said it had become aware of an incident involving the data of fewer than 200 merchants, and its investigation “determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants.”

Upon discovery, Shopify immediately terminated the individuals’ access to the Shopify network and referred the incident to law enforcement. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” it said. “While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”

Shopify said the incident was not caused by a technical vulnerability in the platform, and some stores may have had customer data exposed. “This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”

Shopify said it does not take these events lightly, and “we have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”

Speaking to Infosecurity, Lisa Forte, partner at Red Goat Cyber Security LLP, said insiders are notoriously dangerous, and although they are rare, they yield access legitimately granted that external attackers would only dream of.

"Incidents involving insiders are also hugely damaging from a reputational standpoint," Forte said. "Perhaps more so than other attacks. Shopify have acted quickly and apparently transparently so far. It is unclear at this point what the precise motive of these insiders was, but all insider threats fall into one of three categories: fraud, sabotage or theft. Often insiders are not working totally alone, with research evidencing the tendency of colleagues to notice but ignore suspicious behavior." 

In August, it was reported that a Tesla employee was apparently approached by an attacker, and offered $1 million to place ransomware internally.

Warren Poschman, senior solutions architect at Comforte AG, called the incident “the perfect example of the risks many organizations face” as while it can be difficult to immediately identify a rogue employee or malicious insider, the damage they can do can be irreversible. “This can create a lot of distress on both the businesses side and on consumers as fraud is easy to commit with stolen or accessed account information,” he said.

Jake Moore, cybersecurity specialist at ESET said: “Insider threats are a constant risk that businesses have always had to take a chance with. However, an increase in remote working – alongside the consequent factor of new employees never physically meeting their employers – accelerates the risks, meaning that insider attacks may become more prevalent than ever.”

Brian Honan, CEO of BH Consulting, said insider threat is one of the hardest threats for companies to manage. "Insiders by their nature are already within the company’s systems and are trusted users."

He said: "When those users abuse that trust, or are socially engineered to have that trust misused, then a company can experience a serious breach. Credit has to be given to Shopify on their ability to detect this breach, to react to it, and for disclosing the breach. While the information stolen did not include financial or credit card data criminals could still abuse the stolen data to target the affected customers with spam, scam emails, or phishing attacks. 

"Companies need to ensure they have the appropriate measures in place to manage the insider threat, such as restricting user access to only data they should have access to, segregating roles and duties, and monitoring for any suspicious or unusual behavior."

What’s Hot on Infosecurity Magazine?