- Kylie Jenner’s cosmetics company confirmed that it was one of the companies affected by the Shopify data breach earlier this month.
- Two Shopify employees may have exposed customer contact and order details from 200 merchants, Shopify said on September 23.
- Kylie Cosmetics said it was “deeply disappointed” to learn that the breach affected its customers, but remains “confident” that customers can still use its site.
- Visit Business Insider’s homepage for more stories.
Kylie Jenner’s makeup company has warned customers that their data — including parts of their credit card numbers — may have been exposed in a Shopify security breach.
Two “rogue” Shopify staff members stole order records and may have exposed customers’ names, email and postal addresses, and order details from less than 200 merchants, the Canadian e-commerce giant said on September 23. Kylie Cosmetics was among those affected, the beauty brand announced on its website.
The breach may have compromised the last four digits of some customers’ credit card numbers, Kylie Cosmetics said in an email first reported by TMZ on September 29 but confirmed that full payment details weren’t accessed.
The cosmetics company, which uses Shopify for its online transactions, said it was “deeply disappointed” to learn that the breach affected its customers.
Kylie Cosmetics launched an investigation into the incident, it said, and was working closely with Shopify to get additional information.
Kylie Cosmetics was working to identify which transactions may have been affected, the company added and said it would inform affected customers.
On September 23, Shopify said there was no evidence that the data had been used, but that it was still in the “early stages” of its investigation. The company was working with the FBI, other international crime agencies, and a digital forensics firm, it said.
The theft wasn’t caused by any “technical vulnerability” in the platform, it said, describing the employees as two “rogue” members of its support team.
The company immediately terminated the employees’ access to the Shopify network and referred the incident to law enforcement, it said.
The incident took place between August 15 and September 15, the company said.
When contacted by Business Insider, Shopify referred to its earlier statement from September 23, which read: “We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”