Cyber Incident Victim: Shopify

On September 22, 2020, Shopify disclosed a data breach involving two members of its support team who illegitimately accessed customer transactional records from an unspecified number of merchants. The Ottawa-based e-commerce company identified the employees as "rogue members" of its support organization engaged in a coordinated scheme to obtain the data. Shopify terminated the employees’ access to its network upon discovering the incident but did not specify when the breach began or when it was detected. The company initiated an internal investigation and contacted law enforcement, specifically the U.S. Federal Bureau of Investigation (FBI), to address the incident. Shopify’s public statement did not clarify why the FBI was involved instead of Canadian authorities like the Royal Canadian Mounted Police (RCMP), nor did it identify the affected merchants or quantify the number of impacted customer records.

The breach involved unauthorized access to transactional records, though Shopify did not elaborate on the specific data types compromised beyond this broad category. The company stated it was working directly with the FBI but provided no details on the investigation’s scope or the attackers’ motivations. No evidence suggested the breach extended beyond the two employees or involved external threat actors. Shopify’s response focused on containment through access termination and legal escalation, with no mention of customer notifications, remediation offers, or system-level security changes. The incident highlighted risks associated with insider threats but did not result in publicly disclosed operational disruptions or financial impacts for Shopify or its merchants. The full extent of the breach’s consequences remained unclear due to Shopify’s limited disclosure of affected parties, data sensitivity, or forensic findings.