On September 22, 2020, e-commerce platform Shopify disclosed a security incident on their blog. Shopify reported that two “rogue” support team employees illegitimately accessed and stole customer transactional records of certain merchants, including Thrive Causemetics and Kylie Cosmetics.
Apparently, the two employees accessed shopper data using Shopify’s Orders API, which lets merchants process orders on behalf of their customers. Shopify did not say how many end customers were affected by the theft of data from merchants, but the emails sent to merchants reportedly contained the specific number of customer records stolen in the breach. One affected merchant claims that more than 4,900 customer records were accessed.
Shopify claims to be notifying affected merchants “as relevant,” but has not yet disclosed a list of those companies. So far, nearly 200 companies have reportedly been notified of their exposure to the data breach.
The unauthorized access reportedly spans from August 15 to September 15, 2020. Shopify claims to have terminated these individuals’ access to their network and has reported the incident to law enforcement.
Compromised customer information may include:
Shopify currently claims that only the last four digits of credit cards were stolen in the security incident. However, online discussions reveal multiple shoppers who received Shopify data breach notices and claim to have suffered fraudulent credit card charges that correspond with the data breach time window.
Even without full financial information, hackers could potentially use such data to launch targeted phishing attacks. So far, Shopify has not offered identity monitoring services to affected individuals.
Unfortunately, this is not Shopify’s first breach of customer payment information. On May 20, 2020, popular startup Bombas learned that malicious code in their Shopify e-commerce platform may have scraped personal information as customers purchased product online. The sock retailer reports that consumer data was exposed during a window from November 11, 2016, to February 16, 2017.
Shopify was originally founded in 2004 as Snowdevil, an online store for snowboarding equipment, which led to the development and launch of the Shopify platform two years later. The Canadian company now employs over 5,000 and claims to be an all-in-one commerce vendor, providing tools for payments, marketing, shipping and customer engagement for over one million businesses worldwide. Shopify’s estimated annual revenues are over 1.5 billion USD.
If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.
With personal injury cases, success is defined by more than the number of dollars awarded at settlement. Our clients come to us not just bearing physical and financial trauma, but emotional and situational scars, as well. As the legal process evolves, relationships are built with our clients that typically last for a lifetime. Sometimes, that […]Learn More
On November 8, 2018, Anna* and her family fled their home in response to the Camp Fire mandatory evacuation. The massive fire destroyed more than 18,000 homes, displacing 50,000 residents in the town of Paradise, California, and surrounding areas. They didn’t have friends or relatives in neighboring cities to stay with and soon discovered that […]Learn More
On a warm August evening, Ray G. and his family were driving home from a school sporting event. As his Ford F250 pickup traveled through an intersection on Washington Blvd in Roseville, California, a Toyota Corolla compact sedan ran the red light and slammed into the driver’s side of Ray’s truck. The driver of the […]Learn More
Kimberly and Brian, both established professionals in Sacramento, were excited about moving into a charming yellow house in one of the best neighborhoods in the area. They had agreed to a lease-to-own arrangement that allocated $3,500 per month toward rent and an additional $2,000 per month toward a refundable deposit for the potential purchase of […]Learn More
Matthew B. contacted the Arnold Law Firm after consulting with multiple attorneys in the Sacramento area, including another major personal injury firm and an attorney specializing in motorcycle accidents. His case was rejected by other attorneys due to complexity with liability. As the rider in a car vs. motorcycle collision, Matthew suffered significant injuries to […]Learn More
Mr. E was on his way to work one very ordinary fall morning when an inattentive driver ran a red light, collided with his vehicle, and changed his life forever. In that moment, although he didn’t realize it at the time, a chain of events was set into motion that affected every aspect of his […]Learn More