Internal security breach hits Shopify

Customer data of less than 200 retailers using the Shopify e-commerce platform may have been exposed in a security incident.

In a post on its community board, Shopify disclosed it recently became aware that two “rogue members” of its support team were engaged in a scheme to obtain customer transactional records of less than 200 merchants. Shopify immediately terminated their access to its network and is currently working with the FBI and other international law enforcement agencies to investigate.

Retailers whose stores were illegitimately accessed may have had customer data including email, name, and address, as well as order details such as products and services purchased, exposed. According to Shopify, complete payment card numbers or other sensitive personal or financial information were not compromised.

Shopify said there is no technical vulnerability in its platform and it has no current evidence of any exposed data being utilized, but any affected retailer will be updated as needed. The company did not specify what steps it may be taking to mitigate the situation for retailers whose data was exposed, but said it is in “close communication” to help them navigate the issue and address concerns.

“Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data,” Torsten George, cybersecurity evangelist for Centrify, said in a statement to Chain Store Age. “Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach.”

Specific steps George recommends include enforcing segregation of duties for shared or sensitive processes and tasks, only providing users just-in-time privileges necessary for a specific job, and leveraging user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors.