E-commerce platform Shopify has confirmed that two rogue members of its support team were to blame for a data breach.

A statement from the US company explained that the incident involved the data of less than 200 merchants, with immediate action taken to notify those affected.

"Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants," Shopify stated. "We immediately terminated these individuals’ access to our network and referred the incident to law enforcement."

The statement added that Shopify is working with the FBI and other international agencies in their investigation. "While we do not have evidence of the data being utilised, we are in the early stages of the investigation and will be updating affected merchants as relevant."

The company also pointed out that the incident was not the result of a technical vulnerability with the platform. "However, those whose stores were illegitimately accessed may have had customer data exposed - this data includes basic contact information, such as email, name and address, as well as order details, like products and services purchased."

Complete payment card numbers or other sensitive personal or financial information were not part of the incident.

Commenting on the breach, DomainTools senior security engineer and malware researcher Tarik Saleh said that cyber security awareness is effective against human error, but can do nothing about this type of intentional human compromises.

"Vetting employees before granting them access to sensitive servers is one option, although it will never reduce the risk down to zero, another is ensuring access to documents and sensitive data is restricted and only granted on a 'need to know' basis.

"Security efforts in this type of scenario need to be reactive: teams need to have the right systems in place to detect unusual activity in their networks and flag it immediately as suspicious."

Share Story: