Following an investigation, e-commerce company Shopify has announced two employees were behind a data breach that has affected some of the merchants on its platform.
Shopify claimed that following its investigation it determined two “rogue members” of its support team were engaged in a plot to obtain the customer transactional records of specific merchants. Shopify said it immediately terminated the individuals’ access to the Shopify network and contacted law enforcement about the incident.
“We don’t take these events lightly at Shopify,” the company said in its statement. “We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”
The company also stressed the breach was not the result of a technical vulnerability on its platform, but noted the merchants affected may have had customer data exposed, including contact information, such as emails, names, and addresses, as well as order details, such as products and services purchased.
Shopify noted complete payment card numbers or other sensitive personal or financial information were not compromised in this incident.
“While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant,” Shopify stated.
The company said it has been in close communication with the affected merchants and is currently working with the United States’ Federal Bureau of Investigation, in addition to other international agencies on the matter.
The data breach follows a year of growth for Shopify. The company has seen the number of merchants on its platform soar during the COVID-19 pandemic, and has become one of Canada’s most valuable companies, recently raising $1.91 billion in a public offering.
Shopify declined to provide additional comment beyond its public statement.