Shopify’s Insider Threat


We all fear our data and information being breached from outside forces wanting to sell our client details to the highest bidders, but what about when the threat comes from inside the very organization we trust with our data?

This is the current focus of Canadian e-commerce platform Shopify when it detected an insider threat and acted immediately in the latest victim in data breach news.

In their statement, Shopify addressed that two rogue members on the Shopify support team undertook a scheme to use customer transactional records of fewer than 200 merchants. Terminating their access with immediate effect, Shopify contacted the FBI and other international agencies to quickly take action against the perpetrators and update the affected merchants, although at this stage there is no clear evidence that the data has been utilized so far.

Details Accessed

The incident was not undertaken via any technical vulnerability in the platform as stated by Shopify, and some stores have potentially fallen victim to customer data becoming exposed such as basic contact information from email to addresses as well as order details.

More sensitive information such as payment card details or further personal and financial details were not accessed during the insider breach.

Zero Tolerance

Shopify have been stern to act immediately and have seen the incident as a priority, with platform abuse and integrity of the product not taken lightly and action undertaken to preserve the public confidence.

With insider threat a notoriously dangerous yet rare occurrence, it still stands that those in a position of granted access have an enviable amount of legitimate use of details to an external party. When that trust is broken by an internal member of the platform, reputational damage to the company platform stands to a much larger degree.

With Shopify’s sharp and rapid movement to act on the threat once discovered, the ulterior motive of the insider’s has been thwarted; although the motives have yet to be determined. Typically an insider breach is undertaken for theft, fraud or sabotage and is typically not undertaken in a singular activity.

Battling the Threat

With remote working becoming an increasing need for many companies, the increased risks are always going to be on the rise with many large organizations seeing more and more threat from external and internal sources.

In the summer, Tesla became a known target when an employee was apparently approached by an external party that offered £1m in order to implant ransomware internally. This is going to be a growing risk factor for many huge corporations and government bodies, as identifying rogue or enticed employees is difficult and the damage that can be inflicted by not discovering can be fatal.

Corporations such as Shopify will have to ensure that adequate measures are implemented to combat the insider threat, along the lines of restricted user access to applicable data and better uses of behaviour spotting among employees.

For more information on what is considered a data breach and events being held to discuss tactics of fighting against, talk with Whitehall Media about upcoming talks and events.