Shopify employees accessed customer databases without authorization

This is a common requirement for security-conscious organizations, especially those with HIPAA or PCI requirements. For shopify, this likely was originally created as a customer requirement, so that clients could monitor their staff. The typical setup is to generate internal user logs and feed it into a SIEM of some type, potentially with custom rules to do some checking. Alternatively, this may very well have been caught by a type of DLP (data loss protection) or network monitoring product

That already happened a decade ago: https://www.wired.com/2010/09/google-spy/

Speaking as an ex-Facebook engineer it would be incredibly easy to get nefarious people employed there in an engineering role. Once inside, they have access to -all- user data; there is no actual access control (there are some basic access checks built into the Facebook application to keep you from accessing "private" data fields by accident, but all you have to do is edit that code and remove the access check and recompile Facebook on your laptop and you can access anything in the production database -- including peoples private Messenger chats).

Facebook warn you when you are hired not to actually do this, because they have auditing systems to watch for it and you will be fired (supposedly) but for people employed by some other agency specifically for the purpose of getting high-value private data out of Facebook, being fired by Facebook for doing so is part of the expected outcome and no big deal.

A well funded agency could easily keep getting people hired at Facebook to get whatever data they want, as often as they want. Facebook is constantly trying to keep their hiring pipelines full and despite the image Facebook likes to portray, it isn't "only the best talent" that gets a job there. There are some very smart, capable people at Facebook, but there are a ton of very mediocre engineers that lucked out in the hiring process, as well. It's really just a numbers game to get in.

I'm sure much the same is true at Google/Twitter/etc.

> not the result of some sort of technical vulnerability

So what then? Did they deceive or coerce somebody?

Two Tell HNs in two days about Shopify with some weak cases. I smell some stock shorting strategy here.

Something like this should probably legislated https://cloud.google.com/access-transparency

But it doesn't stop the government from bulk copying "business data" via powers granted by the Patriot Act.

From what I've heard from ex-FB employees, they are told repeatedly during onboarding that snooping for personal reasons is a first-offensive firable offense, to the point that engineers often won't try to look up information even when debugging prod issues.

Shopify may have an audit trail of exactly which stores had data compromised, and perhaps even a trail of which specific customers.

Prevent direct database access or at least allow it only from jump servers which don’t allow file transfers.

For troubleshooting purposes create debugging tools. Log and check their usage. When things mature, you can even require multiple admins to work together for certain actions.

Minimize human access to production envs. Automate deployments. When access is needed, use jump servers and block file transfers (or force them to go through channel that is audited).

Do review logs and alerts on regular basis. Put effort to minimize false alerts and excessive logging. Quite when reviewing logs you just notice things that “don’t look right”.

Nothing is 100% secure, but also people with bad intensions don’t always have unlimited skills/energy/time.

A step in the right direction is to use encrypted backend data / databases. This is still fraught with problems, but it provides another layer of protection and can demonstrate the difference between "The data was just sitting there" and "We had to manually exfiltrate the encryption keys to read the data".

It's not perfect, but it adds another layer to prove malicious intent.

Employees should have access to customers' data on a need to know basis. Most employees do not need access so should not have access.

Then, there should be an audit trail of all accesses and this should be known to employees. First that dissuades employees from acting improperly, second that allows the company to verify that they indeed do not act improperly and to track down culprits if something happens.

Any system admin accessing to a server is able to take a copy of any data stored (or even transiently present on its network interface) on it.

If he is a spy/robber, if he is corruptible or threatened... a third party will obtain this copy. For the main culprit this doesn't induce any risk (where is the evidence?). This is absolutely not as with your bank, for example, which cannot really steal money without you taking notice.

How serious people are willing to store confidential data on any rented or hosted server is completely beyond me. Then some of their competitors' proposals are "just a little bit" better than theirs', or seem to have a pretty good grasp on some R&D or customer database.

Many here work on some cloud thing, most are honest and some will be upset by my comment. This is not about you but about rotten fruits in the basket.

Um what? The problem was the lack of internal authorization to do so. Do you not see how that's a huge liability? It's basically an "inside job". If one employee can do it, then anybody with similar credentials can.

The "oh shit" scenario is when the stolen data is used against to commit crimes against customers, e.g., identity theft, stalking, you name it.

Agree. And as much as policies are in place, it is not unusual to see csv exports downloaded to local laptops for analysis as part of work.