Breach, Content

Shopify Fires Rogue Employees For Alleged E-Commerce Data Scheme


Shopify ($SHOP) has fired two rogue employees for allegedly launching a scheme involving e-commerce customer records from roughly 200 merchants, the company disclosed in a blog today. Shopify has found no evidence that the incident data has been utilized, though an investigation involving the FBI is ongoing.

At first glance, the scope of the incident appears limited -- considering Shopify's e-commerce platform supports more than 1 million business worldwide. Still, Shopify did not mention which merchants were targeted in the scheme -- small boutique shops, massive online businesses or a mix? The answer is undisclosed, though Shopify has alerted all of the merchants that were targeted in the scheme.

Shopify Insider Incident: Statement About Rogue Employee Scheme

Naturally, Shopify is working overtime to maintain customer trust with its e-commerce partners. Shopify's complete statement about the data incident said:

"Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue--and impact--so we could take action and notify the affected merchants.

Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.

This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.

Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.

To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day."

Shopify Business Growth

Customer and partner trust remains paramount for Shopify, especially as the coronavirus pandemic drives even more e-commerce on the platform. Indeed, Shopify revenues were $714.3 million in the second quarter ended June 30, 2020 -- a 97 percent increase from the comparable quarter in 2019.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.