Celebrity Kylie Jenner’s makeup company Kylie Cosmetics has warned customers of a potential data breach after a wide sprawling data breach hit its e-commerce site.
Customers that made a purchase through Kylie Cosmetics have been notified via email that their names, addresses and even credit card details might have been accessed by an unauthorised third party after two “rogue” employees of the brand’s e-commerce platform reportedly stole data from as many as 100 sellers.
A few weeks ago, Canadian e-commerce giant Shopify confirmed that two members of its support team had stolen private information from the site’s vendors. The company says that on September 23, two “rogue” employees had potentially copied data from more than 100 sellers to potentially sell on the black market at a later date.
The theft was reported to the FBI who has since launched an investigation into the employees. Shopify is one of the world’s largest providers of online sales for high profile brands, including Tesla Motors, Victoria Beckham and Taylor Swift.
Shopify has stated that the rogue employees were not able to access the full set of payment data from its customers, but has told customers that have made a transaction through its platform to take note of any potential fraudulent transactions.
Kylie Cosmetics was one of the leading brands using Shopify’s services to sell cosmetic goods, and has since notified customers of the potential data breach, telling them to be vigilant of identity and financial fraud on their behalf.
“Your trust is important to us,” the message reads. “And we wanted to let you know we’re working diligently with Shopify to get additional information about this incident and their investigation and response to this matter.”
“Shopify has assured us that they have implemented additional controls designed to help prevent this type of incident from recurring in the future,” the message to customers concluded.
Lamar Bailey, Tripwire’s senior director of security research has told Tech Radar that “insider threat is a very real issue that gets little attention.”
“Support engineers are often an entry level job, so it is easier for someone to infiltrate the organisation at this level,” he continued to explain.
“A bad actor looking to gain company data can easily use a fake identity to secure a job and then use this position as a launching point for gathering data to sell on the black market. It is imperative that organisations have security controls in place for users, access, and file monitoring to look for employees accessing systems, code, or data they do not need access to.”
Bailey concluded by stating that “a stance of least privilege for everyone is the best policy. With the current industry skills gap, organisations may not be as diligent validating the background of new employees.”