Access Management , Governance & Risk Management , Identity & Access Management

Lessons to Learn From Shopify Data Breach

Security Experts Call for 'Zero Trust' Approach, Enhanced IAM
Lessons to Learn From Shopify Data Breach

Shopify’s announcement this week that two employees inappropriately accessed transactional data from 200 of the merchants that use its e-commerce platform demonstrates the importance of taking a “zero trust” approach to security and improving identity and access management capabilities, security experts say.

See Also: Identity as a Game-Changing Breach Defense

Security teams must take steps to ensure only workers with the proper credentials have access to critical data, says Bryan Skene, CTO of the network-access security firm Tempered.

"Many organizations have rightfully chosen to adopt a zero trust policy to counter insider threats like the ones seen at Shopify," Skene says (see: Panel Discussion: Zero Trust in Action - Practical Deployments).

Sketchy Details

In its announcement about the security incident, Shopify, which serves more than 1 million merchants with $200 billion in annual sales, did not release details about the two now-former employees, including their names, jobs and locations. Nor did the company reveal the merchants involved, a timeframe of the incident or how many of the merchants' customers had data compromised.

"Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants,” the company says in a statement. “We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement.”

The information that may have been accessed by the two employees include names, email addresses and mailing address, as well as order details - such as products and services purchased, the company says. Payment card information was not exposed, it says.

Shopify did not immediately reply to a request for additional details.

Limiting Access

Torsten George, cybersecurity evangelist for security firm Centrify, says that many organizations grant their staff members contractors and partners too much access privilege,

"Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach," George says.

He recommends companies enforce segregation of duties, establish least privilege, implement access request and approval workflows and leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors.

The Insider Threat

The threats posed by insiders are growing because so many staff members now work from home, security experts say.

"The very tools that are making it easy to collaborate and get work done in a remote work environment - Slack, Teams, One Drive, Google Drive - are also making it easier to exfiltrate data like product ideas, source code and customer lists," Jadee Hanson, CISO and CIO at the security firm Code42, tells Information Security Media Group.

"While security teams’ mandate to protect data hasn't changed with a largely remote workforce, it’s clear that end users are not as vigilant, so it is even more crucial for security teams to watch data movements across their entire environment whether employees are on or off the network," she says.

Skene of Tempered emphasizes the need to adopt a zero-trust framework so the security team can better track who is coming in and out of the network.

"Zero trust protects against these [insider threat] situations because everything - user, server or networked thing - is required to establish trust first in order to communicate, even within the network perimeter," he says.

Skene recommends companies use a software-defined perimeter that extends visibility to cloud, multi-cloud, virtual, physical and edge environments.

With so many employees working from home, Hanson says organizations must have tools in place that give visibility into file movements, enabling them to verify that corporate intellectual property and sensitive data is not leaving the organization.

"Endpoint tools - especially those that provide visibility to file movements - are playing an increasingly important role in today’s security programs. They provide security teams with much more valuable data than they did pre-pandemic," he says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.