US grand jury has charged a person living in California with stealing Shopify customer data from more than 100 merchants.
According to the complaint, Tassilo Heinrich worked with two Shopify customer support agents to “stealing business from those merchants” and pulling merchants and customer data from Shopify customers to increase their competitiveness. Allegedly stolen, he has been charged with joint conspiracy for weighted personal information theft and telegraph fraud. The indictment also states that Heinrich, who appears to have been around 18 at the time of the alleged scheme, sold the data to other accomplices for fraudulent activity.
A person who knew directly about the security breach admitted that the victim listed in the indictment was Shopify.
In September 2020, Shopify, an online e-commerce platform for small businesses, revealed a data breach committed by two “rogue members” on its customer support team targeting “less than 200 merchants.” Shopify said it had fired the two contractors, saying it was “involved in a scheme to get customer transaction records from some stores.”
Related article: Shopify announces data breach by employees
According to Shopify, contractors stole customer data, including order details such as name, zip code, address, and which product or service they purchased. One merchant, who was notified of a data breach by Shopify, said it had also stolen the last four digits of the affected customer’s payment card, which was confirmed in the indictment.
The victims also reportedly included Kylie Jenner’s cosmetics and makeup company, Kylie Cosmetics, according to the BBC.
According to the complaint, Heinrich pays employees of a third-party customer support company in the Philippines to take screenshots in exchange for kickbacks or upload data to Google Drive on Shopify’s internal network. It is said that he accessed a part. Heinrich paid the employee thousands of dollars worth of crypto assets and gave them fake positive reviews, claiming they were from a merchant who provided customer service but did not give feedback. It was. According to the indictment, Heinrich received a year’s worth of data from some merchants.
Heinrich said he had been squeezing data from Shopify’s internal network for at least a year, and at one point asked if a customer support employee could “remotely access” it while he was asleep.
Shopify spokeswoman Rebecca Feigelsohn said in a short statement: “Shopify worked with the FBI to investigate a small number of merchant data incidents in September 2020. As mentioned earlier, the perpetrators involved are no longer working at Shopify. Criminal investigation I can’t comment further at this time as is in progress. ”
Heinrich was arrested by the FBI at Los Angeles International Airport in February 2021 and is currently detained by the federal government for a trial to begin on September 7, 2021. He is said to be innocent.
[Updated]This article has been updated with comments from Shopify.