On Tuesday evening Shopify wrote a blog post saying that they had experienced a data breach. (Note that Shopify was not hacked, it was an inside job.) A blog post; not an announcement to customers*, let alone an outreach to affected customers, but a blog post – on their merchant ‘community’ board. Which means that the odds are good that you will never be directly contacted about this breach unless your Shopify-using merchant lets you know. (Ok, technically Shopify’s merchants are their customers, and they may be contacting those merchants, but not the actual people whose data has been compromised).
Shopify is the web-hosting service that many, many businesses use to power their credit card and other financial transaction processing. (According to ShopifyAndYou.com more than 1million merchants now use Shopify as their processor).
What happened is that two employees (in their post Shopify calls them “rogue members of our support team”) stole the records of up to 199 merchants, meaning the customer records of the customers of those merchants.
The critical part of their blog post (full post included below) is this: “This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”
Note that word “complete”. Because in fact financial information is “part of this incident”, just not complete financial information.
We know this because, as it happens, one of the affected merchants reached out to us, and here is what they had to say:
“On Monday, September 21st, 2020, Shopify informed us about a security incident that occurred on its platform. We now have the details of the customer information compromised and are proactively sharing what we know with you. Shopify told us that names, addresses, emails, product orders and the last four digits of credit cards may have been obtained. Shopify assured us complete credit card information and account passwords were NOT obtained.”
With this information it is easy for a scammer to contact you saying something like “Hi, this is so-and-so with Acme, and we are contacting you about order #1234 that you placed with us, for two shirts and a pair of pants, on September 15th. Your credit card did not go through so we need to run it again. It’s your credit card ending in 9876; can you please confirm the full number?”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
This sounds so plausible that lots of people will fall for it.
As we always say, regarding any place that has your data, it’s not a matter of if they will have a data breach, it’s a matter of when.
Here is Shopify’s full post, which you can also read here:
Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants.
Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.
This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.
Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.
To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.