US charges California man over Shopify data breach – TechCrunch
A grand jury has indicted a California resident accused of stealing Shopify customer data on over a hundred merchants, TechCrunch has learned.
The indictment charges Tassilo Heinrich with aggravated identity theft and conspiracy to commit wire fraud by allegedly working with two Shopify customer support agents to steal merchant and customer data from Shopify customers to gain a competitive edge and “take business away from those merchants,” the indictment reads. The indictment also accuses Heinrich, believed to be around 18 years old at the time of the alleged scheme, of selling the data to other co-conspirators to commit fraud.
A person with direct knowledge of the security breach confirmed Shopify was the unnamed victim company referenced in the indictment.
Last September, Shopify, an online e-commerce platform for small businesses, revealed a data breach perpetrated by two “rogue members” of its third-party customer support team that targeted “less than 200 merchants.” Shopify said it fired the two contractors for engaging “in a scheme to obtain customer transactional records of certain merchants.”
Shopify said the contractors stole customer data, including names, postal addresses and order details, like which products and services were purchased. One merchant who received the data breach notice from Shopify said the last four digits of affected customers’ payment cards were also taken, which the indictment confirms.
Another one of the victims was Kylie Jenner’s cosmetics and make-up company, Kylie Cosmetics, the BBC reported.
The indictment accuses Heinrich of paying an employee of a third-party customer support company in the Philippines to access parts of Shopify’s internal network by either taking screenshots or uploading the data to Google Drive in exchange for kickbacks. Heinrich paid the employee in thousands of dollars’ worth of cryptocurrency, and also fake positive reviews claiming to be from merchants to whom the employee had provided customer service but had not left feedback. The indictment alleges that Heinrich received a year’s worth of some merchants’ data.
Heinrich allegedly spent at least a year siphoning off incrementing amounts of data from Shopify’s internal network, at one point asking if he could “remotely access” the customer support employee’s computer while they were asleep.
In a brief statement, Shopify spokesperson Rebecca Feigelsohn said: “Shopify has cooperated with the FBI to investigate an incident involving the data of a small number of our merchants in September 2020. As previously stated, the perpetrators involved no longer work with Shopify. Because there is an active criminal investigation, we are unable to provide further comment at this time.”
Heinrich was arrested by the FBI at Los Angeles International Airport in February and is currently detained in federal custody pending trial, set to begin on September 7. Heinrich has pleaded not guilty.
Updated with comment from Shopify.