Customer transaction records for some merchants were obtained by hackers on September 15, according to an email sent to customers by 100% Pure, a cosmetics retailer that uses the Shopify platform.
“We deeply appreciate the confidence of our customers and are sorry that this incident has called it into question,” said Ric Kostick, CEO of 100% Pure. “Our top priority right now is to ensure the protection and security of their data. We are carefully assessing the extent of this incident with Shopify and will take all necessary and immediate action to prevent this from happening again. ”
Shopify has terminated the two employees’ access to its network, and the company is working with the Federal Bureau of Investigation and other international agencies investigating what it calls “criminal acts.” Shopify shares slipped more than 1% in extended trading on Tuesday.
The hacked stores may have exposed customer data, including emails, names, addresses and order details, the company added. Full payment card numbers or other sensitive personal or financial information was not part of the incident, Shopify said.
Shopify sells subscription software to help merchants run online stores. The Ottawa-based company has seen a skyrocketing increase since going public in 2015. The coronavirus pandemic has spurred growth even more as lockdowns pushed more retailers online. It is now the most valuable Canadian company in the public market.
Last year, a security researcher discovered a bug in Shopify’s software code that could have exposed revenue information for thousands of online stores.