The e-commerce giant (SHOP) (SHOP.TO) says the data breach was a result of “two rogue members” on a support team who allegedly “engaged in a scheme to obtain customer transactional records of certain merchants.”
Shopify said in a notice on the company’s discussion forum that after an investigation it terminated the two support team members’ access to the Shopify network and “referred the incident to law enforcement.”
“We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant,” Shopify said.
Shopify added this was not a result of technical issues or vulnerabilities and that “the vast majority of merchants using Shopify are not affected.” As of October 2019, Shopify had one million merchants using its platform.
It did note that data of customers related to those merchants could have been exposed, including contact information like email and names, addresses, order details, and products and services purchased.
“Complete payment card numbers or other sensitive personal or financial information were not part of this incident,” Shopify said.
A spokesperson from Shopify Canada said in an email that all affected merchants have been notified, but did not provide information on how many, if any, were Canadian. The spokesperson also did not clarify when the company became aware of the breach.