Shopify just confirmed that two members of their support team (who have been fired) stole customer data from at least 100 merchants. The specific intention of stealing this data has not been revealed. Shopify also states that they do not believe the data has been used yet, although it seems too early to tell the impact of this breach.
According to TechCrunch, these rogue employees accessed the customer data through Shopify’s Orders API, a tool that helps merchants process orders on behalf of their customers. These employees gained access to potentially millions of customer records, which contained personally identifiable information (PII) and the last four digits of their credit card.
How do I know if I was affected?
Shopify has stated they have informed all merchants whose customer data has been affected. Make sure to check your emails to stay informed if you’ve been impacted by this breach. If you have not been contacted, that does not mean that your data was not impacted in the breach, it just means there hasn’t been any communication yet.
What should I do if my data was breached?
Under CCPA guidelines, businesses that have been subject to a data breach must disclose this information to affected consumers. From an ethical standpoint, businesses should do this for all of their consumers. However, from a legal standpoint, a business must at least inform their California customers about this potential impact. It isn’t a fun email to send, but it’s important to build trust with your customers and alert them to privacy threats like this.
Shopify’s Data Problem
This is not the first time Shopify’s data has been breached. There have been multiple incidents of information leaking in the past, ranging from other customer data breaches to leaking of merchant revenue numbers.
As Shopify explodes in popularity and the e-commerce vertical continues to boom, the platform’s faulty data privacy measures present significant concern. Shopify competitors are on the rise and merchants could be swayed to other platforms if privacy concerns continue to arise. Merchants can also be held liable if they do not take steps in having “reasonable security” for their consumers’ data, such as opt-out tools.
Incidents like this show the clear necessity of having privacy tools in place. Contact us at Support@loginhood.io if you have any questions on this data breach or implementing a privacy solution. Our team is always available and happy to assist.