Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
$1.99
per week
for 24 weeks
// //

Shopify Inc. says it has notified Canada’s privacy commissioner about a recent data breach it says was carried out by two “rogue” employees.

“In accordance with Canadian law, we promptly notified all affected merchants,” a spokeswoman for the company wrote in an email.

“We have subsequently provided information regarding the incident to the Office of the Privacy Commissioner.”

Story continues below advertisement

Earlier Wednesday, the commissioner’s office said it hadn’t yet received a report about the breach.

“Our office is reaching out to Shopify, given the potential seriousness of the breach, to request more information about the matter,” Vito Pilieci, a senior communications adviser wrote in an email.

Under the Personal Information Protection and Electronic Documents Act, it is mandatory for companies to report breaches to the privacy commissioner’s office, “where it is reasonable to believe that the breach creates a real risk of significant harm to an individual,” Pilieci said.

Shopify spokeswoman Rebecca Feigelsohn said the two employees involved in the breach were fired.

On Tuesday, the Ottawa-based company first revealed on an online discussion board that it had identified two workers involved in illegitimately obtaining records connected to some of its merchants.

“We immediately terminated these individuals' access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” the company said.

“While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”

Story continues below advertisement

The customer data the employees were accessing was linked to fewer than 200 merchants, who Shopify has declined to identify but says have been notified.

The improperly accessed data includes basic contact information such as emails, names and addresses, as well as order details, such as what products and services were purchased.

Shopify said complete payment card numbers and other sensitive personal or financial information were not part of the breach and it has yet to find evidence that any of the data was used.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies