Any system admin accessing to a server is able to take a copy of any data stored (or even transiently present on its network interface) on it.
If he is a spy/robber, if he is corruptible or threatened... a third party will obtain this copy. For the main culprit this doesn't induce any risk (where is the evidence?). This is absolutely not as with your bank, for example, which cannot really steal money without you taking notice.
How serious people are willing to store confidential data on any rented or hosted server is completely beyond me. Then some of their competitors' proposals are "just a little bit" better than theirs', or seem to have a pretty good grasp on some R&D or customer database.
Many here work on some cloud thing, most are honest and some will be upset by my comment. This is not about you but about rotten fruits in the basket.
Um what? The problem was the lack of internal authorization to do so. Do you not see how that's a huge liability? It's basically an "inside job". If one employee can do it, then anybody with similar credentials can.
The "oh shit" scenario is when the stolen data is used against to commit crimes against customers, e.g., identity theft, stalking, you name it.
They have very loose controls at shopify - no ISMS, no standard key controls - bluntly, it’s a miracle they haven’t had much worse happen yet. They’re not even ISO27001 compliant or certified.
This may have been true in the past, however per https://www.shopify.com/security they are SOC2-certified (SOC2 is significantly more common in North America), they are certainly PCI Level 1, and have GDPR/CCPA compliance requirements. You can also see their 2019 Transparency Report: https://www.shopify.com/security/transparency-report/report-.... It is still possible that their SOC2 and PCI reports could have a number of exceptions, but I would be surprised at this point in their maturity cycle.
Most small SaaS companies, the sort I have worked for, have literally zero controls for this sort of thing. I would expect more of a 100+ billion dollar company like Shopify, but frankly I am not surprised.
If he is a spy/robber, if he is corruptible or threatened... a third party will obtain this copy. For the main culprit this doesn't induce any risk (where is the evidence?). This is absolutely not as with your bank, for example, which cannot really steal money without you taking notice.
How serious people are willing to store confidential data on any rented or hosted server is completely beyond me. Then some of their competitors' proposals are "just a little bit" better than theirs', or seem to have a pretty good grasp on some R&D or customer database.
Many here work on some cloud thing, most are honest and some will be upset by my comment. This is not about you but about rotten fruits in the basket.