Shopify’s Toronto office. (Raysonho @ Open Grid Scheduler / Grid Engine)

A data breach at Shopify perpetrated by two “rogue employees” who worked on the e-commerce platform’s support team illustrates how certain roles within an organization may require more stringent monitoring.

Based on Shopify’s online support page, the “support team” appears to refer to help center employees who handle inquiries and troubleshooting requests submitted by both merchants and their customers. Experts told SC Media that employees working for such a department potentially have access to a wide variety of data at their fingertips, which they might view, gather or exfiltrate for illegitimate purposes.

“It is critical that these individuals be monitored,” said Armaan Mahbod, director of counter-insider threat research at remote employee monitoring company Dtex Systems. Mahbod told SC Media that such employees often have the ability to use remote service tools to directly access their clients’ systems, websites and customers portal, and potentially even their transaction logs.

And because Shopify is essentially a third-party service for e-retailers, a data breach scenario in this case “could be a customer support individual having access to, essentially, their customers’ data or having access to their customers’ customer data,” Mahbod continued.

Should support employees have admin access, they could even “inject shadow code into these stores in the form of third-party plugins and scripts, which can then be used to launch skimming attacks against the merchant, fueling an endless cycle of account takeover and credit card fraud,” said Ameet Naik, security evangelist at PerimeterX. (There is no indication this happened with Shopify.)

According to Shopify’s official online notification, the two employees – whose access has since been terminated – “were engaged in a scheme to obtain customer transactional records of certain merchants” who leverage the e-commerce platform. In the process, they exposed email physical addresses, names and order details, but not complete payment card numbers or “other sensitive personal or financial information.” But even without full financial information, adversaries could potentially use such data to launch targeted phishing attacks.

Shopify has yet to name the exact number of merchants affected or explain how the unauthorized activity was ultimately detected. But the fact that so many Shopify merchants were affected at the very least suggests the employees’ actions were not flagged and detected as quickly as they probably should have been, Mahbod said.

Indeed, Mahbod said when these kinds of schemes happen, they transpire “low and slow,” so “it’s something that’s probably been going on for quite some time. It is something that should have been detected far, far sooner. It should have been nipped in the bud.”

Perhaps more cases like these could be nipped in the bud if certain precautions were taken in advance.

Shareth Ben, executive director, field engineering at Securonix, believes a least privileged approach is warranted.

“Usually, staff or contractors who work in a help center role should have limited access or access specific to their job function if the concept of ‘least privilege’ is adhered to. In this situation [with Shopify], we are not certain if that is the case,” said Ben.

In the same vein, Naik recommended companies like Shopify adopt a zero-trust strategy. “With software-as-a-service platforms, internal employees, such as those handling support tickets, often have privileged access to customer information, including personally identifiable information in some cases,” said Naik. “Organizations must ensure privacy is integral to the design of their platforms, and take a zero-trust approach to secure access.”

However, Mahbod argues that this “locking and blocking” of support employees can potentially backfire if applied too strictly because, to perform their jobs properly, these workers often need quick access to a wide array of capabilities and systems. “It just causes the business to be more inefficient and move ineffectively,” he said.

Mahbod therefore suggests that companies monitor the workforce for activity that violates behavioral norms, particular activity that deviates from employees’ role-based responsibilities and past actions. For instance, said Mahbod, there should be little need for help center employees to save files locally or rename them locally, because the customer relationship management tools at their disposal should already store the data they need.

Sending data or files through personal email or instant messaging tools, or activity taking place during off-hours are other major red flags, he added, advocating for tools that provide a full, visible audit trail across all systems to which an employee has access.

Ben also is in favor of companies monitoring employees to ensure they are not attempting to access systems or data in unauthorized fashion.

“While companies who have a good security posture may have preventive technical controls in place, how do they know it’s working? This is why monitoring for privilege account escalation or misuse of high privileges is needed,” said Ben. “If this was in place you would be able to monitor for authorized user activity as well as unauthorized user activity which typically leaves behind breadcrumbs for security tools to pick up.”

With that in mind Ben summarized the tools companies need to counter insider threats: “If the rogue employees were attempting to access an unauthorized system over time and eventually succeeded at it, that is something you want to detect. Hence, defining who can access what is step one,” said Ben. “This can be achieved with implementing proper identity and access management.”

“Then, monitoring to ensure that policy is followed is step two,” Ben continued. A SIEM or a user behavior monitoring tool that can bring together access privileges and user activity on systems that matter can detect nefarious behaviors. Once the fundamental visibility is in place, he added, companies can look for privileged activity and escalation of privileges type activities, which are signals of malicious behavior.

Naik also recommended that companies address privacy while designing their websites and applications, collecting “as little PII as possible to minimize the impact of an insider-led data breach.” Additionally, “e-commerce merchants using SaaS platforms such as Shopify must ensure they use multi-factor authentication for their admin accounts and invest in client-side application security solutions to detect and stop shadow code threats on their online stores.”