“We subsequently provided information about the incident to the Office of the Privacy Commissioner. ”
Earlier Wednesday, the commissioner’s office said it had yet to receive a report of the violation.
“Our office is reaching out to Shopify, given the potential severity of the breach, to request more information on the matter,” Vito Pilieci, a senior communications advisor, wrote in an email.
Under the Personal Information Protection and Electronic Documents Act, it is mandatory for businesses to report breaches to the Office of the Privacy Commissioner, “where it is reasonable to believe that the breach creates a real risk of significant harm to an individual, ”Pilieci said.
Shopify spokesperson Rebecca Feigelsohn said the two employees involved in the breach were fired.
On Tuesday, the Ottawa-based company first revealed in an online discussion forum that it had identified two workers involved in illegitimately obtaining records related to some of its merchants.
“We immediately terminated these people’s access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts, ”the company said.
“While we have no evidence of data use, we are in the early stages of the investigation and will update affected merchants as necessary. ”
The customer data that employees were accessing related to less than 200 merchants, which Shopify declined to identify but said they had been notified.
Poorly viewed data includes basic contact information such as emails, names and addresses, as well as order details, such as products and services purchased.
Shopify said full payment card numbers and other sensitive personal or financial information were not part of the breach and that it has yet to find evidence that any of the data was used.
This report by The Canadian Press was first published on September 23, 2020.