CALL 916-777-7777
Youtube Facebook-f X-twitter Linkedin-in

Shopify Data Breach

Posted on behalf of Arnold Law Firm in

shopify data breachOn September 22, 2020, e-commerce platform Shopify disclosed a security incident on their blog. Shopify reported that two “rogue” support team employees illegitimately accessed and stole customer transactional records of certain merchants, including Thrive Causemetics and Kylie Cosmetics.

Apparently, the two employees accessed shopper data using Shopify’s Orders API, which lets merchants process orders on behalf of their customers. Shopify did not say how many end customers were affected by the theft of data from merchants, but the emails sent to merchants reportedly contained the specific number of customer records stolen in the breach. One affected merchant claims that more than 4,900 customer records were accessed.

Shopify claims to be notifying affected merchants “as relevant,” but has not yet disclosed a list of those companies. So far, nearly 200 companies have reportedly been notified of their exposure to the data breach.

The unauthorized access reportedly spans from August 15 to September 15, 2020. Shopify claims to have terminated these individuals’ access to their network and has reported the incident to law enforcement.

Compromised customer information may include:

  • First and last names
  • Addresses
  • Emails
  • Product order information
  • BIN numbers
  • Payment card information (limited)

Shopify currently claims that only the last four digits of credit cards were stolen in the security incident. However, online discussions reveal multiple shoppers who received Shopify data breach notices and claim to have suffered fraudulent credit card charges that correspond with the data breach time window.

Even without full financial information, hackers could potentially use such data to launch targeted phishing attacks. So far, Shopify has not offered identity monitoring services to affected individuals.

Unfortunately, this is not Shopify’s first breach of customer payment information. On May 20, 2020, popular startup Bombas learned that malicious code in their Shopify e-commerce platform may have scraped personal information as customers purchased product online. The sock retailer reports that consumer data was exposed during a window from November 11, 2016, to February 16, 2017.

Shopify was originally founded in 2004 as Snowdevil, an online store for snowboarding equipment, which led to the development and launch of the Shopify platform two years later. The Canadian company now employs over 5,000 and claims to be an all-in-one commerce vendor, providing tools for payments, marketing, shipping and customer engagement for over one million businesses worldwide. Shopify’s estimated annual revenues are over 1.5 billion USD.

How do I join a class action suit?

If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.

Settlement - $3,767,000

Truck Accident

A 20-year-old man who had been married for just 12 days left home on his way to work. He was driving on Pleasant Grove Road in Sutter County in the early morning when he came upon a slow-moving truck. As he pulled out to pass the truck, the truck driver turned left in front of him. The young man attempted to steer back into his lane but his vehicle struck an un-flagged piece of metal extending from the back of the truck. He died in the resulting crash.

Expert witnesses brought in by the Arnold Law Firm proved that the truck, owned and operated by a hauling firm, should never have been on the highway that morning. Specifically, the rear and side turn signals did not work and the rear-view mirror was in a poor state of adjustment at the time of the collision. As a result, the driver, who had failed to properly inspect the vehicle before setting out that morning, couldn’t see the young man’s vehicle as it attempted to pass.

The poor condition of the truck, its lack of maintenance and the manner in which it was operated were found to be substantial factors in causing the collision that killed the young man. The testimony also established that the man had been making a lawful pass at the lawful speed limit and acted reasonably when he attempted to avoid the collision.

The man’s 20-year-old widow was awarded $3,767,000.77, his parents were awarded $185,131 and the family was reimbursed $11,899 in funeral expenses. Though money is a poor substitute for a young man’s life, this verdict demonstrates that drivers who endanger the lives of others will be held accountable for their actions.