The Shopify Insider Threat Incident - a wakeup call!

What can we learn from the Shopify incident?  More importantly - what can everyone do to avoid this?

If you weren't aware, a couple of months ago, the global e-commerce provider Shopify said two members of its support staff were caught accessing customer information without authorization.

In the announcement from Shopify, the two employees used their permissions to access customer transactional records from some of their merchants. The company says less than 200 merchants are impacted by the incident and they were all notified.  Well that doesn't sound so bad...right?  Wrong! 

The exposed customer data included: name, email address, physical mailing address, and all the other details of what they ordered.  I know what you're thinking "at least they didn't access any of credit card or other financial information".  And sure, while the announcement says no payment or financial information was accessed, this should serve as an enormous wakeup call for everyone.  Why?  Think about what it takes to steal someone's identity.  Think about the basic information they need to have in order to do anything as someone else.

What can you do?  If you haven't already done so...place freezes or "locks" on your credit bureau accounts.  Experian, Transunion, and Equifax all offer this.  If you have a credit monitoring agency (like LifeLock) then make sure your plan includes the monitoring of not just your credit...but your bank(s), mortgage, and everything else.  If you are paying, or were going to pay for the locking of your accounts in these agencies, see if it wouldn't make more sense to use those funds to pay for your Lifelock account.

Shopify has stated the rogue employees have been terminated and law enforcement has launched an investigation.  We've all seen this before over the last decade.  It's a tale as old as time "Rest assured, we're launching a full investigation and will ensure everything is okay moving forward".  Sound familiar?  Don't just rely on their action (or lack there of).  Do your part to ensure your information is safe.  Not just from this incident but from future incidents with other vendors and merchants.  You never know when you're out at a restaurant having a nice dinner, you hand your credit card to the server and they walk away to pay your bill...did they have a skimmer in their pocket or their apron?  How about the person ringing up all the checks?  Do they have a skimmer sitting under the register?

Even with Shopify's statements “We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”  They were sure to point out the fact that this insider threat incident did not involve exploitation of a vulnerability in its platform.  Why?  Because they don't want people to think they have other issues besides insider malfeasance. 

“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly (at Shopify). We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product,” the company states in the article.

The bottom line is incidents like this are not unheard of and actually somewhat common.  Last month a Microsoft engineer was sentenced to 9 years for stealing roughly $10M from the company.  A Utah credit union employee was caught stealing personal account information of the credit union's customers.  Last year, Trend Micro said an employee sold the personal information of roughly 100,000 customers to tech support scammers.  A Telsa employee leaked confidential information to outsiders.  YTO Express, one of China's largest courier companies, had an employee sell over 400k pieces of customers' personal information.  I think you get the picture.  It happens everywhere, regardless of the size of the company. 

In summary - it is up to you to protect your own identity, your data, your information.  If you chose not to do so, it's not a matter of if it happens, it is a matter of when it'll happen to you.  I'd suggest going back up and reading "What can you do" earlier in this post.