Canadian multinational e-commerce company Shopify disclosed a security incident that involved the information of some of its merchants.
On September 22, Shopify published an incident update on its website. This bulletin explained that “two rogue members” of the company’s support team had attempted to obtain the customer transaction records of fewer than 200 merchants by exploiting a technical vulnerability in its platform.
An investigation into what happened revealed that the incident had not affected most of Shopify’s merchants but had exposed customer data for some of the affected stores.
That data included customers’ contact information including their names, email addresses and physical addresses along with their order details. It did not include payment card details or other sensitive data.
The company responded by terminating the malicious insiders and notifying law enforcement.
As of this writing, Shopify was still investigating this incident with the assistance of the FBI and other international law enforcement bodies.
PJ Norris, senior systems engineer at Tripwire, explains that this incident highlights the need for organizations to defend themselves against internal threats:
Organizations are often so focused on protecting their infrastructure and data from external threats that they forget that, like the classic horror film ploy, the call may be coming from inside the house. Employees have access to their organization’s sensitive assets, which is why it isn’t all that uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups whose vaults are replenished regularly by the returns of their malicious campaigns. Hopefully, Shopify will have a monitoring system in place that will aid their security team and the FBI in analyzing which accounts have been compromised and how the incident occurred.
Organizations should protect themselves from insider threats by designing their environment with least privilege in mind so that only the right people have access to sensitive data at the right time. It is impossible to reduce the risk of a rogue employee intentionally causing a security incident, which is why it is best to have all the measures in place to monitor activity on sensitive servers and to record sessions in the unfortunate event that a forensic investigation becomes necessary.
For guidance on how to mitigate the insider threats, please click here.