Shopify Data Breach Illustrates the Danger of Insider Threats

A recent data breach at Shopify that affected almost 200 merchants has been attributed to insiders.

The incident did not result from a technical vulnerability, but from two “rogue” support team employees involved in a scheme to procure customer transactional records and sensitive data.

Shopify conducted an investigation into the incident and found the breach impacted under 200 Shopify merchants. FBI was also made aware of the findings.

Also Read: Website Ownership Laws: Your Rights And What It Protects

“We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” the company stated in a statement.

As of now, there is no evidence as to how this data may have been misused.

It may be a relief for everyone to know, sensitive information such as complete payment card numbers and sensitive personal and financial information was not exposed as a result of this incident.

The exposed “data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased,” the statement acknowledged.

Shopify is continuing its investigation into the incident and is in touch with the impacted merchants and their customers.

The company said, “We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”

“To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.”

Not all insider threats are malicious

Although the term, “insider threats” has a negative connotation to it, some insider threats are unintentional and simply exploited.

For example, in July 2020, a large scale Twitter data incident had occurred because unsuspecting employees were exploited via social engineering tactics.

Regardless, the end result was a heavy impact on prominent Twitter users.

“Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7,” stated Twitter.

Insider threat monitoring software company Code42 shared insights on data exfiltration incidents with BleepingComputer stating that 45% of all detected file exposures involved business files or source code, which is high-value data.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

“On average, a typical employee causes 20 file exposure events per day. The numbers don’t lie. We found that in the past 30 days alone, literally millions of files were exposed,” they continued in a report.

Additionally, data exfiltration can occur outside of a typical work week too.

For example, according to Code42, “more than one-third of weekend file exposure events happened via removable media, a surprising – and suspicious – choice of vector for employees working from home.”

Increasing reports of insider threats at prominent organizations have sprung up in recent times when data security has become an issue of paramount importance, as demanded by privacy legislation.

Last month, a Russian national tried to recruit a Tesla subsidiary employee in an extortion effort, “to convince him to deploy an unknown malware strain on the company’s computer network.”

The attacker’s plans thankfully foiled in time.

Earlier this year, a Roblox employee was bribed so that attackers could access the information of over 100 million users.