• Shopify and Instacart recently suffered data breaches from insider attacks, stressing the importance of not allowing too much access to employees. 
  • Consumers who receive a breach notice regarding either data breach should follow the advice. They should also change their username and password to any breached accounts, add two-factor authentication if possible, and watch for attempts like phishing emails looking to collect personal information. 
  • Businesses should reduce access and privileges based on an employee’s position, adopt a zero-trust framework, and put tools in place to track data movements.  
  • To learn more about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM
  • If you believe you are a victim of a data compromise, contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website. 

Not all data breaches are the result of professional cybercriminals hacking their way into a company. Sometimes, data compromises happen because of malicious insiders who want to make a quick buck. That’s what happened to Shopify, a popular online e-commerce platform used by small retailers and global brands alike.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week, and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we look back at the Shopify data breach in an episode titled “Shopify ’til You Drop.” 

About Shopify 

Shopify is a Canadian e-commerce company founded in 2006 that’s considered a go-to vendor for online retailers of all sizes worldwide. Shopify provides an e-commerce platform that supports over one million merchants in 175 countries. Some of the merchants include big names like Tesla, Sephora and Kylie Cosmetics. Shopify also has smaller mom and pop-type retailers. 

Shopify Data Breach 

As the ITRC reported at the beginning of the month, the Shopify data breach happened when two Shopify’s employees collected information from merchants on the Shopify platform. Information siphoned-off includes personal information about customers and their transactions, email addresses, names, physical addresses, products, and services purchased, as well as partial payment card information. 

In late September, Shopify notified the impacted merchants and posted a notice online informing website visitors of the data breach caused by the now-former malicious employees. Once Shopify security teams figured out what was happening, the number of compromised companies was nearly 200. 

How Does This Happen? 

Attacks from malicious insiders are not rare. However, they are not common, either. IBM’s 2019 data breach report shows that seven percent of all data events studied are from insiders intent on stealing information. 

When an insider attack happens, it’s almost always because companies allow rogue employees, contractors or partners too much access. Another problem is so many employees working remotely, making it difficult for cybersecurity teams to keep up with who is moving data and where. 

Other Recent Insider Attacks 

The Shopify data breach is not the only malicious insider attack in the past two months. Instacart and Tesla both disclosed similar incidents in the last 45 days.  

Instacart says two tech support vendor employees possibly reviewed more shopper profiles than necessary in their roles as support agents. Since the incident, Instacart notified around 2,200 shoppers of the data breach. 

One week after the Instacart compromise, Tesla announced the company was targeted by a Russian cybercrime organization that tried to recruit U.S. employees to install malware on a Tesla factory’s internal network. Rather than take the deal, the Tesla employee being recruited reported the attempt to Tesla and the FBI. 

What Consumers Should Do 

If anyone receives a breach notice from a Shopify or Instacart merchant, don’t ignore it. Consumers should take the advice in the letter and complete the following actions: 

  • Change your username and passwords for any breached accounts. Make sure you have a unique password for every account you have. 
  • Add two-factor authentication to your accounts, if possible. 
  • Watch out for phishing emails, texts, links to websites and other attempts to collect financial or other personal information.  

What Businesses Should Do 

Business leaders should consider some steps to take to protect their company and customers from insider threats. Those steps include: 

  • Reduce privilege access based on the employee and their position. Ensure they have access to the least amount of information needed to do their jobs and provide a good customer experience. 
  • Watch data movements across the entire company environment, whether employees are on or off the network.  
  • Adopt a zero-trust framework so your security team can better track who is coming in and out of your network.  
  • Put tools in place to give visibility into file movements, enabling your security team to verify that corporate intellectual property and sensitive data is not leaving the organization.  


For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free. 

Contact the ITRC 

If you received a breach notice due to the Shopify of Instacart insider attacks, or any other data compromise, and you’d like to know what steps to take to protect yourself, contact the ITRC to speak with an expert advisor toll-free at 888.400.5530. You can also live-chat with an advisor on the company website. Victims of a data breach can download the free ID Theft Help App to access advisors, resources, a case log and much more.  

Join us on our  weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

Read more of our latest blogs below

Blackbaud Ransomware Attack Significantly Impacts Q3 Data Breach Trends

Shopify Data Exposure Affects Hundreds of Online Businesses

50,000+ Fake Login Pages for Top Brands from Credential Theft