Shopify Inc. says it has notified Canada’s privacy commissioner about a recent data breach it says was carried out by two “rogue” employees.
“In accordance with Canadian law, we promptly notified all affected merchants,” a spokeswoman for the company wrote in an email.
“We have subsequently provided information regarding the incident to the Office of the Privacy Commissioner.”
Earlier Wednesday, the commissioner’s office said it hadn’t yet received a report about the breach.
“Our office is reaching out to Shopify, given the potential seriousness of the breach, to request more information about the matter,” Vito Pilieci, a senior communications adviser wrote in an email.
Under the Personal Information Protection and Electronic Documents Act, it is mandatory for companies to report breaches to the privacy commissioner’s office, “where it is reasonable to believe that the breach creates a real risk of significant harm to an individual,” Pilieci said.
Shopify spokeswoman Rebecca Feigelsohn said the two employees involved in the breach were fired.
On Tuesday, the Ottawa-based company first revealed on an online discussion board that it had identified two workers involved in illegitimately obtaining records connected to some of its merchants.
“We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” the company said.
“While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”
The customer data the employees were accessing was linked to fewer than 200 merchants, who Shopify has declined to identify but says have been notified.
The improperly accessed data includes basic contact information such as emails, names and addresses, as well as order details, such as what products and services were purchased.
Shopify said complete payment card numbers and other sensitive personal or financial information were not part of the breach and it has yet to find evidence that any of the data was used.