On Tuesday, Shopify, an e-commerce platform provider, said that two members of its support staff were caught accessing customer information without permission.
The two employees used their permissions to access customer transactional records from certain merchants, according to Shopify. The company says that less than 200 merchants were affected by the incident and all of them were notified.
The name, email address , physical address, and order details (e.g. products and services purchased) were included in the exposed merchant customer data, but payment card or other financial information was not affected.
The rogue workers have been suspended and an investigation has been initiated by law enforcement.
“In their investigation of these criminal acts, we are currently working with the FBI and other international agencies. “While we do not have proof of the data being used, we are in the early stages of the investigation and will update affected merchants as relevant,” said Shopify.
The company pointed out that in its platform, this insider threat incident did not involve exploitation of a vulnerability.
To help them navigate this issue and address any of their concerns, our teams have been in close communication with affected merchants. At Shopify, we do not take these events lightly. We have zero tolerance for the abuse of platforms and will take action to preserve our community’s trust and our product’s integrity,’ the company said.
There are not unheard of incidents like this. Trend Micro said last year that an employee sold to tech support scammers the personal information of approximately 100,000 clients.