It was announced today that Shopify found that they were breeched from an insider threat. Some 200 merchants were affected. Notifications sent, FBI and the Royal Canadian Mounted Police were alerted.
But it was an inside job. It was found that 2 employees conspired to steal customer information including the information of their customers. This quickly became an umbrella effect. Start at the top and deep dive into an organizations transactions to see who their clients are and lift that information.
Sad, but insider threats happen ALL THE TIME ! The old Trust but Verify is so important to the survival of any company.
2 "Rouge members" of their support team were caught stealing the credit card and other PII information of the customers of 200 clients. They go on to say that this was an inside job and not due to any Network or Security failings. Really ? Where was Security? Why weren't they monitoring and spot checking people and transactions ? Were there any scans being performed to look for this ?
This is a major problem. Many Vendors and Service Providers must oversee call in desks and/or database connections for this information. It is so easy for someone to answer the phone, take down PII information and make a copy for themselves. Where were the spot checks and oversight ? Too late it seems in this case.
We may never hear of there were reports or concerns from the Security Department. Most likely never will. But someone had to be aware much earlier than "after a period of time".
If a company is going to have a Security Department, please listen to the concerns of these IT Security people. It will save your business, it will save your reputation!
The original article is here: Yahoo Financial Story on Shopify Breech
Another Article can be found here: bleepingcomputer article