Shopify Security Breached by Rogue Employees

Shopify app on phone

On Tuesday Shopify revealed it is working with law enforcement to investigate a security breach perpetrated by two rogue employees. More than 100 Shopify merchants were affected along with all their customers.

Who is Shopify?

Shopify is a Canadian multinational company headquartered in Ottowa, Ontario, which runs an ecommerce platform of the same name. Shopify provides small online retailers (aka merchants) with a platform from which to run their online stores. The platform provides a suite of services such as payments, marketing, shipping and customer engagement tools.

The company has undergone meteoric growth since it went public in 2015. The coronavirus further boosted growth as the lockdowns forced more retailers online. In June 2019, the company reported having more than 1 million merchants in approximately 175 countries using its platform. It also has a large list of partners including Amazon.

In 2018, its total gross merchandise volume exceeded USD41.1 billion, making it the most valuable Canadian company on public markets. However, the company’s share price fell by more than 12 points in extended trading on Tuesday once Shopify disclosed the security breach.

Details of the Incident

In a prepared statement published on Tuesday this week, Shopify confirmed that two members of its support team, had accessed and tried to steal transaction records from more than 100 Shopify merchants. As a consequence, the hacked online stores may have had their customers’ data exposed, thus affecting their privacy. The personally identifiable data accessed included emails, names, addresses and order details, such as products and services purchased. The last four digits of customers’ payment card numbers may also have been stolen in the incident. However, Shopify explains that “Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”

Shopify also clarified that the incident was not caused by a technical vulnerability in their platform. The two employees apparently accessed merchants’ data using Shopify’s Orders API. This API lets merchants process orders on their customers’ behalf.

The statement also explains that the vast majority of merchants using Shopify were not affected. Shopify revealed that the incident impacted less than 200 merchants, which it declined to identify but says have been notified. However, although less than 200 merchants were affected, the number of merchant records accessed is in the millions. One merchant speaking to TechCrunch, an American online publisher, stated that more than 1.3 million of its customer records had been accessed. Although Shopify has said that there is no evidence that merchants’ data has been utilized.

Shopify’s Response to the Incident

The company immediately terminated the rogue employees’ access to its network and referred the incident to relevant law enforcement agencies. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant,” Shopify explains in its statement.

The statement goes on to say “We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product. To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.”

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.