TechGuard Blog

Insider Threats to Blame for Shopify's Recent Breach

E-commerce company Shopify recently suffered a data breach, but it wasn't the result of some outside attackers at work. No, in fact, the threat came from within. Two rogue support workers with Shopify were working together to steal customer data, affecting nearly 200 merchants. Both the FBI and the local authorities were brought in to help with the investigation, and the employees were ultimately discovered. Shopify immediately terminated them, stating, “We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”

Luckily, it doesn't look like any credit card or financial information was taken. Rather, the data that was taken was contact information such as email, name, address, order details, and order history. That's still significant, but thankfully not as damaging. Shopify's investigation is ongoing, and they are in touch with the affected merchants and their customers.


What is an Insider Threat?

An insider threat is someone within the organization who is giving out or stealing information, whether they are aware of it or not. These insider threats can include employees, former employees, contractors, or any business associates who have access to company information.


Not all Insider Threats are Malicious

Insider threats are something companies must always be vigilant for since they can happen by accident from internal employees not being aware of their own actions. Some insider threats show up through everyday acts such as emails, sharing documents, or even leaving sensitive documents out in the open on their desk.

A recent insider threat breach occurred when Twitter suffered a data breach after a hacker socially engineered some unsuspecting employees to give up their credentials. This data breach affected some pretty high-profile accounts on twitter. The attackers were able to target 130 accounts, tweeting from 45, and downloading the twitter data of 7. Malicious actors are constantly making attempts on employees of larger companies as they tend to have access to more valuable information. Just in the last couple of months, one million dollars was offered to a Tesla employee to plug a USB device into the network, allowing an attacker to gain access. For Tesla, thankfully, the employee reported it and foiled the attempt. In another instance earlier this year, a Roblox employee was also bribed so that attackers could access the information of 100 million users. In these cases, if the employee had accepted the money, they would be considered malicious insider threats.


Organizations can limit their risks of experiencing an insider threat in a few different ways. Starting with the hiring process, make sure background checks are in place. Educate employees so that they aren't easily manipulated by cybercriminals and teach them how to spot the signs of a potential insider threat. Implement a trust but verify policy and make sure employees know who to report suspicious activity to and that they feel comfortable doing so. A layered approach is always the most effective.

Written by Matthew Rech