Lessons to Learn From Shopify Data BreachSecurity Experts Call for 'Zero Trust' Approach, Enhanced IAM
Shopify’s announcement this week that two employees inappropriately accessed transactional data from 200 of the merchants that use its e-commerce platform demonstrates the importance of taking a “zero trust” approach to security and improving identity and access management capabilities, security experts say.
Security teams must take steps to ensure only workers with the proper credentials have access to critical data, says Bryan Skene, CTO of the network-access security firm Tempered.
"Many organizations have rightfully chosen to adopt a zero trust policy to counter insider threats like the ones seen at Shopify," Skene says (see: Panel Discussion: Zero Trust in Action - Practical Deployments).
In its announcement about the security incident, Shopify, which serves more than 1 million merchants with $200 billion in annual sales, did not release details about the two now-former employees, including their names, jobs and locations. Nor did the company reveal the merchants involved, a timeframe of the incident or how many of the merchants' customers had data compromised.
"Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants,” the company says in a statement. “We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement.”
The information that may have been accessed by the two employees include names, email addresses and mailing address, as well as order details - such as products and services purchased, the company says. Payment card information was not exposed, it says.
Shopify did not immediately reply to a request for additional details.
Torsten George, cybersecurity evangelist for security firm Centrify, says that many organizations grant their staff members contractors and partners too much access privilege,
"Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach," George says.
He recommends companies enforce segregation of duties, establish least privilege, implement access request and approval workflows and leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors.
The Insider Threat
The threats posed by insiders are growing because so many staff members now work from home, security experts say.
"The very tools that are making it easy to collaborate and get work done in a remote work environment - Slack, Teams, One Drive, Google Drive - are also making it easier to exfiltrate data like product ideas, source code and customer lists," Jadee Hanson, CISO and CIO at the security firm Code42, tells Information Security Media Group.
"While security teams’ mandate to protect data hasn't changed with a largely remote workforce, it’s clear that end users are not as vigilant, so it is even more crucial for security teams to watch data movements across their entire environment whether employees are on or off the network," she says.
Skene of Tempered emphasizes the need to adopt a zero-trust framework so the security team can better track who is coming in and out of the network.
"Zero trust protects against these [insider threat] situations because everything - user, server or networked thing - is required to establish trust first in order to communicate, even within the network perimeter," he says.
Skene recommends companies use a software-defined perimeter that extends visibility to cloud, multi-cloud, virtual, physical and edge environments.
With so many employees working from home, Hanson says organizations must have tools in place that give visibility into file movements, enabling them to verify that corporate intellectual property and sensitive data is not leaving the organization.
"Endpoint tools - especially those that provide visibility to file movements - are playing an increasingly important role in today’s security programs. They provide security teams with much more valuable data than they did pre-pandemic," he says.