California Man Charged in Shopify Data Breach

Indictment in Shopify Data Theft Case

A California resident is facing charges following an indictment related to the theft of customer data from over one hundred Shopify merchants, as reported by TechCrunch.

Details of the Alleged Scheme

Tassilo Heinrich has been indicted on charges of aggravated identity theft and conspiracy to commit wire fraud. The accusations center around an alleged collaboration with two Shopify customer support agents.

The indictment alleges that Heinrich sought to gain a competitive advantage and divert business from existing merchants by acquiring sensitive data. He is also accused of selling this stolen information to accomplices for fraudulent purposes.

Confirmation of Shopify as the Victim

Sources with direct knowledge of the security incident have confirmed that the unnamed company referenced in the indictment is, in fact, Shopify.

Shopify's Previous Disclosure

In September of the previous year, Shopify disclosed a data breach stemming from the actions of two “rogue” members of its third-party customer support team. The breach impacted fewer than 200 merchants.

Shopify terminated the employment of these two contractors after discovering their involvement in a scheme to illegally obtain customer transactional records.

Data Compromised in the Breach

The stolen data included customer names, postal addresses, and details of their purchases – specifically, the products and services they acquired.

Furthermore, reports indicate, and the indictment corroborates, that the last four digits of customers’ payment cards were also compromised.

High-Profile Victim

Among the businesses affected by the data breach was Kylie Cosmetics, the cosmetics company owned by Kylie Jenner, as reported by the BBC.

Method of Data Access

The indictment details how Heinrich allegedly compensated an employee of a third-party customer support company based in the Philippines. This payment was for access to Shopify’s internal network.

Access was gained through methods such as taking screenshots or uploading data to Google Drive. Heinrich reportedly paid the employee in cryptocurrency and through the provision of fabricated positive reviews.

It is alleged that Heinrich obtained a year’s worth of data from certain merchants.

Escalation of the Scheme

Heinrich is accused of systematically extracting increasing amounts of data from Shopify’s network over a period of at least one year.

The indictment also reveals a request from Heinrich to remotely access the customer support employee’s computer while they were not actively using it.

Shopify's Response

Shopify spokesperson Rebecca Feigelsohn issued a brief statement confirming the company’s cooperation with the FBI investigation.

Shopify stated that the individuals involved are no longer affiliated with the company, but declined to provide further comment due to the ongoing criminal investigation.