September is designated as National Insider Threat Awareness Month, a month-long holiday intended to educate on the importance of detecting, deterring and reporting insider threats.
Unfortunately, to close out the month, Shopify publicly disclosed that it was the latest victim of a data breach. Unlike the recent Twitter breach, where hackers gained admin-level privileged access through a spear phishing attack, this particular instance was the result of the direct actions of two malicious internal employees.
It’s believed that none of the stolen data was actually leveraged, and yet having to witness a reputable brand such as Shopify and its associated merchants suffer the fallout remains difficult. Events like this are just another reminder of why zero trust must become the new enterprise security standard and why CISO’s must move quickly to implement the practice.
About the Breach
According to the Shopify statement, “complete payment card numbers or other sensitive personal or financial information were not part of this incident.” The data stolen includes basic contact information such as emails, names, and addresses, as well as order details, such as products and services purchased. While this has a marketable value on the dark web, at least it isn’t banking data, which runs a higher security risk if leveraged maliciously.
Another silver lining is that this breach didn’t result from a technical vulnerability in the Shopify platform. Since this isn’t a platform-wide issue, the scope — and in turn, the damage— remains narrow.
That being said, it’s not entirely a relief that what was stolen was “only” the information mentioned above, because that information is saleable. And, at a bare minimum, it’s useful for companies to leverage for unsolicited target marketing.
And, even though Shopify stated the information didn’t contain, “complete payment card information,” there may have been enough information exposed for a savvy criminal to leverage as the basis for a phishing or vishing campaign. People are a lot more likely to believe they are talking to a credit card company representative if that person can correctly provide them the last four digits of their card and the expiration date.
How Zero Trust Could Have Helped
Zero trust architecture might have helped in this case depending on the roles of the individuals in question and how they went about acquiring the data. For example, since they were customer service representatives, had they slowly harvested this data from a support system with a “need” to service a customer, zero trust would not have caught them. However, if instead they had manually iterated through customer records, this would be anomalous behavior and would have been flagged in a good zero trust environment, stopping the threat in its tracks.
The lesson learned here? Insider threats are on the rise, but can be mitigated with the right solutions. Organizations need to take these threats seriously and consider security investments in solutions that help them better understand who has access to what within their organization and who is doing what with this access. And, most importantly, by taking this a step further in creating a zero trust environment, identity verification will help to prevent malicious actors from poking around where they shouldn’t be.