Canadian Security Magazine

Shopify yet to inform federal privacy commissioner of breach involving ‘rogue’ staff

By Tara Deschamps, The Canadian Press   

News Data Security pipeda privacy privacy commissioner shopify

The office of Canada’s privacy commissioner says Shopify Inc. has yet to notify it of a recent data breach the company says was carried out by two “rogue” employees.

“We have not received a breach report about this incident,” Vito Pilieci, a senior communications adviser for the Office of the Privacy Commissioner of Canada, told The Canadian Press in an email Wednesday.

“Our office is reaching out to Shopify, given the potential seriousness of the breach, to request more information about the matter.”

Under the Personal Information Protection and Electronic Documents Act, it is mandatory for companies to report breaches to the privacy commissioner’s office, “where it is reasonable to believe that the breach creates a real risk of significant harm to an individual, Pilieci said.


Shopify didn’t immediately respond to a request for comment about notifying the privacy commissioner’s office. Company spokeswoman Rebecca Feigelsohn said the two employees involved in the breach were fired.

On Tuesday, the Ottawa-based company first revealed on an online discussion board that it had identified two workers involved in illegitimately obtaining records connected to some of its merchants.

“We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” the company said.

“While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”

The customer data the employees were accessing was linked to fewer than 200 merchants, who Shopify has declined to identify but says have been notified.

The improperly accessed data includes basic contact information, such as emails, names and addresses, as well as order details, like what products and services were purchased.

Shopify said complete payment card numbers and other sensitive personal or financial information were not part of the incident and it has yet to find evidence that any of the data was used.

This report by The Canadian Press was first published September 23, 2020.

News from © Canadian Press Enterprises Inc. 2020.

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *