Shopify Says ‘Rogue’ Employees Stole Data From Merchants

September 23, 2020 by

Shopify Inc. said two employees stole data from more than 100 merchants, potentially exposing the personal information of consumers who shopped on web stores that use the company’s e-commerce software.

“Rogue members” of Shopify’s support team were involved in a scheme to obtain customer transactional records from some of the merchants, the company said in a blog post that noted fewer than 200 sellers were affected.

Customer transaction records from some of the merchants were obtained by hackers on Sept. 15, according to an email sent to customers by 100% Pure, a cosmetics retailer that uses the Shopify platform.

“We deeply value the trust of our customers and we are sorry that this incident has questioned it,” said Ric Kostick, chief executive officer of 100% Pure. “Our top priority right now is to ensure that the safety and security of their data are protected. We are carefully evaluating the extent of this incident with Shopify and will take all necessary and immediate actions to prevent this from happening again.”

Shopify terminated the two employees’ access to its network and the company is working with the Federal Bureau of Investigation and other international agencies that are investigating what it called “criminal acts.” Shopify shares slipped more than 1% in extended trading on Tuesday.

The hacked stores may have had customer data exposed, including emails, names, addresses and order details, the company added. Complete payment card numbers or other sensitive personal or financial information were not part of the incident, Shopify said.

Shopify sells subscription software to help merchants run online stores. The Ottawa-based company has had a dizzying rise since going public in 2015. The coronavirus pandemic has boosted growth even more as lockdowns pushed more retailers online. It is now the most valuable Canadian company on public markets.

Last year, a security researcher found a bug in Shopify’s software code that could have exposed revenue information for thousands of online stores.