Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense
Hub Image

Incident Of The Week: Shopify Internal Data Breach Exemplifies Insider Threat Trend

Cyber Attacks Gauging Human Vulnerabilities

Add bookmark
Seth Adler
Seth Adler
09/25/2020

[Records Exposed: 200  |  Industry: E-Commerce  |  Type Of Attack: Insider] 

On Tuesday, Shopify released a statement reporting an internal security incident carried out by two rogue employees that affected less than 200 e-commerce stores.

The Facts

Founded in 2006, The Canadian based e-commerce company is the go-to vendor for e-tail commerce needs. Shopify supports over one million registered merchants in 175 countries including such big names as Tesla and Sephora. While the internal data breach compromised the personally identifiable information (PII) of about 200 users, it appears Shopify took and is taking the necessary steps to mitigate damage. Still, the breach was significant enough to drop its stock by 1.27% on the New York Stock Exchange.

The statement released by Shopify summarizes the breach as an effort by two rogue employees to steal transaction details from Shopify merchants. According to Shopify, the compromised data in this breach consists of, “…basic contact information, such as email, name, and address, as well as order details, like products and services purchased.” Payment card numbers and other sensitive information was not accessed during the breach.

Related: Building An Insider Threat Program Is Easier Than You Thought

Shopify is working closely with the FBI to further investigate the breach and the ex-employees who implemented the scheme. It is important to note that the breach did not occur as a result of a technological vulnerability.

Lessons Learned

While the investigation is still young, it follows a startling trend that has emerged within recent cyber security incidents. Tesla’s recent thwarted internal attack involved Russian operatives attempting to bribe internal employees. The headline-topping Twitter attack in July was made possible by the manipulation of internal employees using social engineering tactics.

Increasingly, cyber criminals are experts at gauging human vulnerabilities. In fact, their prowess is trending away from technological and toward psychological. Ransomware as a Service (Raas) enables less-technical cyber criminals the ability to focus on leveraging the vulnerabilities of the human psyche in order to leverage technological vulnerabilities.

Related:  10 Critical Characteristics Of Safe Vendor Partners

Some tactics are obvious, such as offering enterprise employees large amounts of cash in exchange for data or access to internal systems. Other tactics involve manipulating employees by pretending to be someone else or preying on their hectic schedules and/or carelessness. For example, these nefarious players expertly invoke strong human emotions such as fear or urgency through emails or direct communication in order to convince or cajole employees into clicking on a malicious link or reveal sensitive information.

Quick Tips

The human element of these attacks makes mitigation difficult for enterprises. Still, new security techniques are being developed and deployed to head these social engineering threats off at the pass, such as:

  1. Taking employee baseline assessments to identify risky employees and develop customized training plans that address their behavior.
  2. Moving away from long, tedious, yearly or bi-yearly security trainings and instead, implementing short, interactive training sessions that fit better into an employee’s day. This strategy has a three-pronged benefit:
    1. Information retention increases.
    2. Practice makes perfect.
    3. Constant training “reminds” employees that the enterprise is well versed in and on the lookout for internal compromises.

While corporations notoriously invest heavily into cyber security software—as they should—no software protects against simple human error, whether intentional or accidental. Top cyber security experts implore corporations to create or source out strong cyber security training. Even basic employee education curriculum such as mouse-over skills and understanding the anatomy of an email address or domain name has a positive impact on enterprise vulnerability.

Read More: Incident Of The Week

Tags: Insider Threat PII Breach Data Breach Social Engineering Ransomware RaaS Cyber Criminals Cyber Attack Security Incident Ransomware-as-a-service Personally Identifiable Information Rogue Employees Technological Vulnerability Enterprise Vulnerability Human Vulnerability Security Training User Awareness Shopify cyber security shopify cyber attack Shopify data breach Shopify Security Shopify security breach Shopify Breach
info@cshub.com/r/n

We hope you enjoy All Access from CS Hub!!<\/p>\r\n<p>Best Regards,<\/p>\r\n<p><a href=https://www.cshub.com/"https:////www.cshub.com///" target=\"_blank\">CS Hub Team<\/a><\/p>\r\n<p>P.S. Be sure to check out our other upcoming <a href=https://www.cshub.com/"https:////www.cshub.com//events?filter_format=ONLINE\%22 target=\"_blank\">All Access events here<\/a>.<\/p>\r\n<p>--------------------------------<\/p>\r\nConnect with us on Social Media: <a href=https://www.cshub.com/"https:////www.linkedin.com//groups//12067996///" target=\"_blank\">LinkedIn<\/a> | <a href=https://www.cshub.com/"https:////twitter.com//CSHubUSA/" target=\"_blank\">Twitter<\/a><\/p>\r\n<p>--------------------------------<\/p>\r\n<p>FAQS<\/p>\r\n<p><b>Can I invite my colleagues?<\/b><br>Yes of course! Please send them this link so they can register for free! [WebUrl]<\/p>\r\n\r\n<p><b>How do I access the sessions?<\/b><br>\r\nAll Access is run on Zoom Events. You should receive an email shortly from Zoom Events with your unique All Access link to the event lobby. Please hold on to that email ahead of the event. We\u2019ll also send you a reminder 24 hours before we go live!<\/p>\r\n\r\n<p><b>Will the agenda be updated?<\/b><br>\r\nYes, the agenda will be continuously updated on the website with the latest sessions & speakers. As we get closer to the event, also look out for our weekly updates which will also include the latest updates information and link to access the event.<\/p>\r\n<p><b>Can I access the sessions On Demand?<\/b><br>\r\nEvery session will be available after the event via the event lobby. We\u2019ll also send you a reminder about the On Demand sessions which will be sent to you after the event is over.<\/p>\r\n<p>--------------------------------<\/p>\r\n<p>RELATED RESOURCES TO READ BEFORE YOUR EVENT<\/p>\r\n<ul>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//executive-decisions//reports//cs-hub-mid-year-market-report-2022?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CS Hub Mid-Year Market Report 2022<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//ciso-strategies-for-proactive-threat-prevention?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">CISO strategies for proactive threat prevention<\/a><\/li>\r\n <li><a href=https://www.cshub.com/"https:////www.cshub.com//security-strategy//reports//how-to-strengthen-email-security-and-protection-against-advanced-ransomware-attacks?utm_source=eco-event-confirmation-email&utm_medium=email&utm_campaign=eco-event-confirmation-email\%22 target=\"_blank\">How to strengthen email security and protection against advanced ransomware attacks<\/a><\/li>\r\n<\/ul>","event_registration_srs_confirmation_email":null,"assets_from_cdn":true},"bant_disabled":0,"sponsorship_disclaimer":null,"sponsorship_disclaimer_text":null,"sponsorship_disclaimer_checkbox_disabled":0,"ext_treat_id":null,"recording_url":null,"file_attachment":null,"ingo_enabled":null,"ingo_activator_id":null,"ingo_autofiller_id":null,"ingo_amplifier_id":null,"ingo_authorizer_id":null,"restricted_content":0,"featured_events_embedded":[],"featured_content_embedded":[],"featured_content_portal_embedded":null}" >

FIND CONTENT BY TYPE

News Case Studies Interviews White Papers Videos

Cyber Security Hub COMMUNITY

About Us Power10 Contact Us Advertise with us Cookie Policy User Agreement Become a Contributor All Access from CS Hub Become a Member Today Media Partners

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

© 2026 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC | Contact Us | About Us | Cookie Policy