An internal investigation into a data breach it said involved fewer than 200 merchants found "two rogue members of [the company's] support team were engaged in a scheme to obtain customer transactional records of certain merchants", the company said in a statement.
Data belonging to almost 200 merchants who used the e-commerce company Shopify, potentially including their customers' information, was compromised by a pair of "rogue" employees, officials recently announced.
"We are now working with the FBI and other worldwide agencies in their investigation of these criminal acts".
Shopify said that it does not have any evidence to suggest that the data was used, but that it had notified affected merchants of the incident. However, those whose stores were illegitimately accessed may have had customer data exposed. The data included basic contact information and order details, but not complete payment card numbers or other sensitive personal or financial information, it said. Over 1 million merchants, including boutique shops and well-known brands, use the platform across the globe.
Shopify said it had referred the matter to the Federal Bureau of Investigation.
Shopify did not say how many end customers were affected by the theft of data from merchants, but the email sent by Shopify contained the specific number of customer records taken in the breach.
Under the Personal Information Protection and Electronic Documents Act, it is mandatory for companies to report breaches to the privacy commissioner's office, "where it is reasonable to believe that the breach creates a real risk of significant harm to an individual", Pilieci said.
Shopify also revealed that after an investigation process, it terminated the two support team members' access to the e-commerce platform's network.