UK markets open in 6 hours 38 minutes
  • NIKKEI 225

    23,628.36
    +61.32 (+0.26%)
     
  • HANG SENG

    24,569.54
    +27.28 (+0.11%)
     
  • CRUDE OIL

    41.46
    -0.24 (-0.58%)
     
  • GOLD FUTURES

    1,916.80
    +1.40 (+0.07%)
     
  • DOW

    28,308.79
    +113.37 (+0.40%)
     
  • BTC-GBP

    9,206.65
    +672.31 (+7.88%)
     
  • CMC Crypto 200

    239.72
    +0.80 (+0.33%)
     
  • ^IXIC

    11,516.49
    +37.61 (+0.33%)
     
  • ^FTAS

    3,315.73
    +3.96 (+0.12%)
     

Shopify says two support staff stole customer data from sellers

Zack Whittaker
·1-min read
BERLIN, GERMANY - SEPTEMBER 18: In this photo illustration the logo of Canadian e-commerce company Shopify Inc. is displayed on a smartphone on September 18, 2019 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
BERLIN, GERMANY - SEPTEMBER 18: In this photo illustration the logo of Canadian e-commerce company Shopify Inc. is displayed on a smartphone on September 18, 2019 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)

Shopify has confirmed a data breach, in which two "rogue members" of its support team stole customer data from at least 100 merchants.

In a blog post, the online shopping site said that its investigation so far showed that the two employees, who have since been fired, were "engaged in a scheme to obtain customer transactional records of certain merchants."

Shopify said it had referred the matter to the FBI.

The employees allegedly stole customer data, including names, postal addresses and order details, from "less than 200 merchants," but financial data was unaffected.

Shopify said that it does not have any evidence to suggest that the data was used, but that it had notified affected merchants of the incident.

One merchant shared with TechCrunch a copy of Shopify's email notification, which said the company first became aware of the breach on September 15, and that the two employees obtained data that was accessible using Shopify's Orders API, which lets merchants process orders on behalf of their customers. The email also said that the last four digits of the customers’ payment card was taken in the incident.

Shopify did not say how many end customers were affected by the theft of data from merchants, but the email sent by Shopify contained the specific number of customer records taken in the breach. In this merchant's case, more than 1.3 million customer records; over 4,900 were accessed.

A spokesperson for Shopify didn't respond to a request for comment.

Just last month, Instacart admitted two of its third-party support staff improperly accessed the information for shoppers who deliver grocery orders to customers.