Shopify has confirmed a data breach, in which two “rogue members” of its support team stole customer data from at least 100 merchants.
In a blog post, the online shopping site said that its investigation so far showed that the two employees, who have since been fired, were “engaged in a scheme to obtain customer transactional records of certain merchants.”
Shopify said it had referred the matter to the FBI.
The employees allegedly stole customer data, including names, postal addresses and order details, from “less than 200 merchants,” but financial data was unaffected.
Shopify said that it does not have any evidence to suggest that the data was used, but that it had notified affected merchants of the incident.
One merchant shared with TechCrunch a copy of Shopify’s email notification, which said the company first became aware of the breach on September 15, and that the two employees obtained data that was accessible using Shopify’s Orders API, which lets merchants process orders on behalf of their customers. The email also said that the last four digits of the customers’ payment card was taken in the incident.
Shopify did not say how many end customers were affected by the theft of data from merchants, but the email sent by Shopify contained the specific number of customer records taken in the breach. In this merchant’s case, more than 1.3 million customer records; over 4,900 were accessed.
A spokesperson for Shopify didn’t respond to a request for comment.
Just last month, Instacart admitted two of its third-party support staff improperly accessed the information for shoppers who deliver grocery orders to customers.