­
top of page
Andrés Buenahora

Shopify Breach - Help Center Employees

Updated: Oct 5, 2020

Shopify recently experienced a data breach that was allegedly instigated by perpetrated “two ‘rogue employees’ who worked on the e-commerce platform’s support team and illustrates how certain roles within an organization may require more stringent monitoring” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


According to the digital support page on Shopify, the support page, the default support team typically defers to the help center, whose employees are in charge of handling seller and buyers questions and inquiries. SC Media has reported that experts have noted how that employees working under this help center department “potentially have access to a wide variety of data at their fingertips, which they might view, gather or exfiltrate for illegitimate purposes” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


Director of counter-insider threat research at the remote employee monitoring company Dtex Systems, Armaan Mahbod, said of the data breach, “ ‘it is critical that these individuals be monitored’ [because] such employees often have the ability to use remote service tools to directly access their clients’ systems, websites and customers portal, and potentially even their transaction logs” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). Mahbod’s point makes sense since these employees were responsible for the data breach in this particular case.


Furthermore, as the nature of Shopify is as a third-party service for e-commerce, could in the future be a similar situation in which a seller or customer service representative under a seller has access to consumer information and data. This data breach sheds light upon the importance of privacy while designing websites, applications, and online retail stores. Security evangelist at PerimeterX, Ameet Naik, recommends, collecting “as little PII as possible to minimize the impact of an insider-led data breach” going forward, a logical choice for the future of online retail.


The significant risk of these kinds of scenarios is that if employees under the support team have admin access, these workers would have the opportunity to “inject shadow code into these stores in the form of third-party plugins and scripts, which can then be used to launch skimming attacks against the merchant, fueling an endless cycle of account takeover and credit card fraud” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


As reported per Shopify’s official online notification, both employees from this incident, whose access and involvement to Shopify and consumers data has since been terminated, were actually “engaged in a scheme to obtain customer transactional records of certain merchants” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). In the process of doing so, these employees exposed the private information and data of an abundance of customers such as email addresses, first and last names, physical addresses, and even specific order details. Fortunately, some of the most sensitive financial information like credit card and payment card numbers were not compromised. However, even with the basic private information that was released, this kind of data can often be more than enough for cybercriminals to exploit and take advantage of when forming phishing attacks targeted towards specific people. Mahbod has stated that although Shopify has not officially announced how many merchants or consumers were impacted by this data breach, the bottom line is still the notion that “many Shopify merchants were affected at the very least suggests the employees’ actions were not flagged and detected as quickly as they probably should have been” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


Mahbod further confirmed that when these kinds of scams do happen, they tend to occur gradually and over a period of time, and that this particular data breach was very likely thought-out and pre-planned for quite some time. Taking this into account, Mahbod also said that this case “should have been detected far, far sooner. It should have been nipped in the bud” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). If this data breach had been discovered earlier, perhaps the protection of merchant and consumer data as well as the prevention of future data breaches can be sooner achieved. Executive Director of Field Engineering at Securonix, Shareth Ben, revealed that typically “staff or contractors who work in a help center role should have limited access or access specific to their job function if the concept of ‘least privilege’ is adhered to. In this situation [with Shopify], we are not certain if that is the case” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). In light of these recent events, security evangelist at PerimeterX, Ameet Naik, recommends that companies such as Shopify institute what is known as a zero-trust- strategy. This method, when implemented correctly, would consist of companies “ensur[ing] privacy is integral to the design of their platforms, and take a zero-trust approach to secure access”

(https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). Naik has emphasized that many times, “internal employees, such as those handling support tickets, often have privileged access to customer information, including personally identifiable information in some cases” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


While Naik’s vast experience and zero-trust approach holds significant merit when it comes to enhancing cybersecurity measures, Mahbod argued that locking out employees within the support center of their organization can “potentially backfire” when and if this is applied to rigidly. For the purpose of context, Mahbod’s argument stems from the point of view that in order for these employees to be able to complete their jobs to the best of their abilities, they will generally require “quick access to a wide array of capabilities and systems. ‘It just causes the business to be more inefficient and move ineffectively.’ said Mahbod” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/). If we take both perspectives into account, an optimal strategy may in fact be to create a sort of compromise, blending key points from both approaches. For example, organizations could “monitor the workforce for activity that violates behavioral norms, particular activity that deviates from employees’ role-based responsibilities and past actions..sending data or files through personal email or instant messaging tools, or activity taking place during off-hours are other major red flags, advocating for tools that provide a full, visible audit trail across all systems to which an employee has access” (https://www.scmagazine.com/home/security-news/data-breach/shopify-breach-help-center-employees-are-a-unique-breed-of-insider-threat/).


Considering this specific data breach of Shopify, the vast number of people impacted, and the recommended methods from industry experts, there’s no question that cybersecurity and the security of private and financial data should be a primary point of focus for many organizations going forward



11 views0 comments

コメント


bottom of page