Shopify sees malicious employees steal merchant data: Security expert commentary

By   ISBuzz Team
Writer , Information Security Buzz | Sep 24, 2020 03:22 am PST

News broke overnight that rogue employees at Shopify stole data from more than 100 merchants, which potentially exposed consumer data for those that shopped on the e-commerce sites using the company’s software.

Compromised data may include emails, names, addresses, and order details. The employees have since been terminated, and the FBI is assisting in an investigation.

More information:

Notify of
8 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Bryan Skene
Bryan Skene , CTO
September 24, 2020 5:57 pm

While workforces remain in remote conditions for the foreseeable future, many organizations have rightfully chosen to adopt a zero-trust policy to counter insider threats like the ones seen at Shopify.

Zero trust protects against these situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud, multi-cloud, virtual, physical, and edge environments. This provides global connectivity and mobility for entire workforces using one comprehensible policy, wherever they are, for whatever they need to reach securely. Best of all, this can be deployed without ripping and replacing (or even modifying in most cases) existing infrastructure.

State-of-the art solutions are available today that utilize this type of SDP to isolate the network into trusted microsegments and can be deployed as overlays on top of any IP network. This creates a modern, zero-trust approach to network security that minimizes the common flaws we see in legacy products and prevents insider and external threats.

Last edited 3 years ago by Bryan Skene
Javvad Malik
Javvad Malik , Security Awareness Advocate
September 24, 2020 12:02 pm

Many organisations have their eye on criminals attacking from outside and can often turn a blind eye to the threats that exist within.

It\’s therefore important that organisations build a culture of security which can reduce the likelihood of employees intentionally or accidentally causing harm. Beyond that, organisations should also be mindful of the levels of access they grant to employees and what they can do independently. Restricting privilege and segregating duties as well as having robust monitoring controls can help prevent and quickly identify where suspicious activity may be taking place.

With the pandemic still impacting the global economy, it could be easier for employees to fall into the trap of trying to make quick money through illegal means, therefore, organisations should remain extra vigilant.

Last edited 3 years ago by Javvad Malik
Martin Jartelius
September 24, 2020 12:00 pm

This is the way we would like to see incident disclosures. Proper logging and monitoring, leading to preventing a huge incident – even though this was a rogue employee risk which is perceived as near impossible to completely defend against, it has both been detected and transparently disclosed. A nice change from reading alerts on new ransomware victims which is otherwise far to common.

Last edited 3 years ago by Martin Jartelius
Warren Poschman
Warren Poschman , Senior Solutions Architect
September 24, 2020 11:58 am

The Shopify attack is the perfect example of the risks many organisations face. The chances of a breach are higher than ever before for online retailers especially with so many consumers preferring online shopping due to the current pandemic. While it can be difficult to immediately identify a rogue employee or malicious insider, the damage they can do can be irreversible and can create a lot of distress on both the business side and on consumers as fraud is easy to commit with stolen or accessed account information.

Currently, classic security defenses like firewalls, strong authentication and access management, volume-level encryption, and IPSec, which many businesses still leverage, only protect you from known attack methods and often fail when it comes to insider threats

To do that effectively, tokenization should be used as the data remains anonymised throughout its use. Retailers want to provide a positive service to consumers but to get this right, businesses must protect their customer\’s data.

Last edited 3 years ago by Warren Poschman
Paul (PJ) Norris
Paul (PJ) Norris , Senior Systems Engineer
September 24, 2020 11:56 am

Organisations are often so focussed on protecting their infrastructure and data from external threats that they forget that, like the classic horror film ploy, the call may be coming from inside the house. Employees have access to their organisation’s sensitive assets, which is why it isn’t all that uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups whose vaults are replenished regularly by the returns of their malicious campaigns. Hopefully, Shopify will have a monitoring system in place that will aid their security team and the FBI in analysing which accounts have been compromised and how the incident occurred.

Organisations should protect themselves from insider threats by designing their environment with the least privilege in mind, so that only the right people have access to sensitive data at the right time. It is impossible to reduce the risk of a rogue employee intentionally causing a security incident, which is why it is best to have all the measures in place to monitor activity on sensitive servers and to record sessions in the unfortunate event that a forensic investigation becomes necessary.

Last edited 3 years ago by Paul (PJ) Norris

Recent Posts

Would love your thoughts, please comment.x