- Shopify recently announced that two support team members allegedly committed insider theft and obtained transactional records of at least 100 merchants.
- Data exposed in the Shopify data compromise includes names, physical addresses, email addresses, products, and services purchased.
- Businesses should consider reducing their privilege access based on the employee’s status, watch data movement across the company, and have tools to give visibility to file activities.
- Consumers should change their usernames and passwords for their Shopify account, keep an eye out for phishing emails, and act on a breach notification letter if they receive one.
- Anyone impacted by the Shopify data exposure can call the ITRC toll-free at 888.400.5530, or live-chat on the company website with an expert advisor.
The E-commerce platform, Shopify, is used by online businesses and retail point-of-systems all over the world. One of the most notable companies is Kylie Cosmetics, Kylie Jenner’s well-known make-up company. Kylie Cosmetics is one of an unknown number of merchants, believed to be between 100 – 200 merchants, impacted by a recent Shopify data exposure. While information is still limited, there are important facts and tips for both consumers and businesses to know about this case of an insider threat.
On September 22, Shopify announced that two members of their support team were engaged in a scheme to obtain customer transaction records from merchants. While there is no evidence of the data of the impacted merchants being utilized right now, the e-commerce company says they are only in the early stages of the investigation. Data exposed by the Shopify compromise includes email addresses, names, physical addresses as well as products and services purchased.
According to MarketWatch, the order details do not include financial information like credit card information or additional personal information. Shopify says most of their merchants are not affected, and the ones that are have been notified. They say they will also be updating affected merchants as more information becomes available.
How the Shopify Data Exposure Impacts Businesses
More people are working from home now than ever due to COVID-19, which means remote workers may have more access privileges than usual with fewer security restrictions. The Shopify data exposure is a great example of the dangers of an organization offering employees too much access privilege. Security experts also say that insider threats are growing with more people getting accustomed to working from home.
How Businesses Can Protect Themselves
- Reduce privilege access based on the employee and their position.
- Watch data movements across the entire company environment whether employees are on or off the network.
- Adopt a zero-trust framework so the security team can better track who is coming in and out of the network.
- Have tools in place that give visibility into file movements, enabling them to verify that corporate intellectual property and sensitive data is not leaving the organization.
How the Shopify Data Exposure Impacts Consumers
While only names, email addresses and address information were exposed, consumers affected by the Shopify data exposure could be at risk of receiving phishing emails or other emails that try to target financial information.
What Consumers Should Do
- Change their usernames and passwords for their account.
- Watch out for phishing emails and other emails attempting to collect financial information or other personally identifiable information (PII).
- Watch for a breach notification letter. If they get one, it should not be ignored. Consumers need to act and follow the steps provided in the letter. Consumers should also take advantage of credit monitoring if it is provided and consider freezing their credit.
- While full payment information is not believed to be involved, it is still a good idea for consumers to regularly check their accounts for any suspicious activity.
Contact the Identity Theft Resource Center
Victims of the Shopify data exposure are encouraged to contact the Identity Theft Resource Center (ITRC) toll-free at 888.400.5530 or live-chat with an expert advisor on our website. Data breach victims can also download the ITRC’s ID Theft Help app to access resources, advisors, a case log and much more.