Shopify sees malicious employees steal merchant data: Security expert commentary

News broke overnight that rogue employees at Shopify stole data from more than 100 merchants, which potentially exposed consumer data for those that shopped on the e-commerce sites using the company’s software.

Compromised data may include emails, names, addresses, and order details. The employees have since been terminated, and the FBI is assisting in an investigation.

More information: https://www.businessinsider.com/rogue-shopify-employees-stolen-customer-data-200-shops-2020-9?r=US&IR=T

Experts Comments

September 24, 2020
Bryan Skene
CTO
Tempered
While workforces remain in remote conditions for the foreseeable future, many organizations have rightfully chosen to adopt a zero-trust policy to counter insider threats like the ones seen at Shopify. Zero trust protects against these situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud,.....Read More
While workforces remain in remote conditions for the foreseeable future, many organizations have rightfully chosen to adopt a zero-trust policy to counter insider threats like the ones seen at Shopify. Zero trust protects against these situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud, multi-cloud, virtual, physical, and edge environments. This provides global connectivity and mobility for entire workforces using one comprehensible policy, wherever they are, for whatever they need to reach securely. Best of all, this can be deployed without ripping and replacing (or even modifying in most cases) existing infrastructure. State-of-the art solutions are available today that utilize this type of SDP to isolate the network into trusted microsegments and can be deployed as overlays on top of any IP network. This creates a modern, zero-trust approach to network security that minimizes the common flaws we see in legacy products and prevents insider and external threats.  Read Less
September 24, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Many organisations have their eye on criminals attacking from outside and can often turn a blind eye to the threats that exist within. It's therefore important that organisations build a culture of security which can reduce the likelihood of employees intentionally or accidentally causing harm. Beyond that, organisations should also be mindful of the levels of access they grant to employees and what they can do independently. Restricting privilege and segregating duties as well as having.....Read More
Many organisations have their eye on criminals attacking from outside and can often turn a blind eye to the threats that exist within. It's therefore important that organisations build a culture of security which can reduce the likelihood of employees intentionally or accidentally causing harm. Beyond that, organisations should also be mindful of the levels of access they grant to employees and what they can do independently. Restricting privilege and segregating duties as well as having robust monitoring controls can help prevent and quickly identify where suspicious activity may be taking place. With the pandemic still impacting the global economy, it could be easier for employees to fall into the trap of trying to make quick money through illegal means, therefore, organisations should remain extra vigilant.  Read Less
September 24, 2020
Martin Jartelius
CSO
Outpost24
This is the way we would like to see incident disclosures. Proper logging and monitoring, leading to preventing a huge incident - even though this was a rogue employee risk which is perceived as near impossible to completely defend against, it has both been detected and transparently disclosed. A nice change from reading alerts on new ransomware victims which is otherwise far to common.
September 24, 2020
Warren Poschman
Senior Solutions Architect
comforte AG
The Shopify attack is the perfect example of the risks many organisations face. The chances of a breach are higher than ever before for online retailers especially with so many consumers preferring online shopping due to the current pandemic. While it can be difficult to immediately identify a rogue employee or malicious insider, the damage they can do can be irreversible and can create a lot of distress on both the business side and on consumers as fraud is easy to commit with stolen or.....Read More
The Shopify attack is the perfect example of the risks many organisations face. The chances of a breach are higher than ever before for online retailers especially with so many consumers preferring online shopping due to the current pandemic. While it can be difficult to immediately identify a rogue employee or malicious insider, the damage they can do can be irreversible and can create a lot of distress on both the business side and on consumers as fraud is easy to commit with stolen or accessed account information. Currently, classic security defenses like firewalls, strong authentication and access management, volume-level encryption, and IPSec, which many businesses still leverage, only protect you from known attack methods and often fail when it comes to insider threats To do that effectively, tokenization should be used as the data remains anonymised throughout its use. Retailers want to provide a positive service to consumers but to get this right, businesses must protect their customer's data.  Read Less
September 24, 2020
Paul (PJ) Norris
Senior Systems Engineer
Tripwire
Organisations are often so focussed on protecting their infrastructure and data from external threats that they forget that, like the classic horror film ploy, the call may be coming from inside the house. Employees have access to their organisation’s sensitive assets, which is why it isn’t all that uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups whose vaults are replenished regularly by the returns of their malicious campaigns. Hopefully,.....Read More
Organisations are often so focussed on protecting their infrastructure and data from external threats that they forget that, like the classic horror film ploy, the call may be coming from inside the house. Employees have access to their organisation’s sensitive assets, which is why it isn’t all that uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups whose vaults are replenished regularly by the returns of their malicious campaigns. Hopefully, Shopify will have a monitoring system in place that will aid their security team and the FBI in analysing which accounts have been compromised and how the incident occurred. Organisations should protect themselves from insider threats by designing their environment with the least privilege in mind, so that only the right people have access to sensitive data at the right time. It is impossible to reduce the risk of a rogue employee intentionally causing a security incident, which is why it is best to have all the measures in place to monitor activity on sensitive servers and to record sessions in the unfortunate event that a forensic investigation becomes necessary.  Read Less
September 24, 2020
Tarik Saleh
Senior Security Engineer and Malware Researcher
DomainTools
Cybersecurity awareness is effective against human error, but can do nothing about this type of intentional human compromises. Vetting employees before granting them access to sensitive servers is one option, although it will never reduce the risk down to zero. Another is ensuring access to documents and sensitive data is restricted and only granted on a 'need to know' basis. Security efforts in this type of scenario need to be reactive: teams need to have the right systems in place to detect.....Read More
Cybersecurity awareness is effective against human error, but can do nothing about this type of intentional human compromises. Vetting employees before granting them access to sensitive servers is one option, although it will never reduce the risk down to zero. Another is ensuring access to documents and sensitive data is restricted and only granted on a 'need to know' basis. Security efforts in this type of scenario need to be reactive: teams need to have the right systems in place to detect unusual activity in their networks and flag it immediately as suspicious. It is better to accidentally terminate a legitimate session than to allow an insider attack to continue undisturbed. Hopefully, the joint efforts of the FBI and Shopify will help determine how the breach occurred and, most importantly, who were the affected parties that will need to be notified.  Read Less
September 24, 2020
Jake Moore
Cybersecurity Specialist
ESET
Some of the biggest threats to cybersecurity come from physical access to a network, which can be extremely difficult to protect against. Employees armed with both insider knowledge and access can be extremely damaging, with the potential to create more problems than external attacks. This incident highlights the importance of limiting user privileges wherever possible to limit vulnerabilities. Insider threats are a constant risk that businesses have always had to take a chance with. However,.....Read More
Some of the biggest threats to cybersecurity come from physical access to a network, which can be extremely difficult to protect against. Employees armed with both insider knowledge and access can be extremely damaging, with the potential to create more problems than external attacks. This incident highlights the importance of limiting user privileges wherever possible to limit vulnerabilities. Insider threats are a constant risk that businesses have always had to take a chance with. However, an increase in remote working – alongside the consequent factor of new employees never physically meeting their employers – accelerates the risks, meaning that insider attacks may become more prevalent than ever.  Read Less
September 24, 2020
Orion Cassetto
Director, Product Marketing,
Exabeam
It is critical for businesses to recognise that threats from legitimate users have always been more elusive and harder to detect or prevent than traditional external threats. The two employees from Shopify were able to steal data from over 100 merchants, potentially exposing emails, names, addresses, and other details of thousands of customers. Organisations must be armed with the tools to prevent enemies from within their walls from launching attacks. A combination of training,.....Read More
It is critical for businesses to recognise that threats from legitimate users have always been more elusive and harder to detect or prevent than traditional external threats. The two employees from Shopify were able to steal data from over 100 merchants, potentially exposing emails, names, addresses, and other details of thousands of customers. Organisations must be armed with the tools to prevent enemies from within their walls from launching attacks. A combination of training, organisational alignment, and technology is the right approach to stopping insider threats. Behavioural analytics technology that tracks, collects and analyses user and machine data to detect threats within an organisation is essential because it determines anomalous from normal behaviours. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. It can often spot unusual online behaviours – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, it can often spot these unusual behaviours among compromised insiders long before criminals have gained access to critical systems.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.