[tantalor]

Um what? The problem was the lack of internal authorization to do so. Do you not see how that's a huge liability? It's basically an "inside job". If one employee can do it, then anybody with similar credentials can.

The "oh shit" scenario is when the stolen data is used against to commit crimes against customers, e.g., identity theft, stalking, you name it.

[thinkingkong]

Again, youre assuming internal controls exist implicitly. They dont. Theyre a risk exercise not a requirement.

[madaxe_again]

They have very loose controls at shopify - no ISMS, no standard key controls - bluntly, it’s a miracle they haven’t had much worse happen yet. They’re not even ISO27001 compliant or certified.

[twunde]

This may have been true in the past, however per https://www.shopify.com/security they are SOC2-certified (SOC2 is significantly more common in North America), they are certainly PCI Level 1, and have GDPR/CCPA compliance requirements. You can also see their 2019 Transparency Report: https://www.shopify.com/security/transparency-report/report-.... It is still possible that their SOC2 and PCI reports could have a number of exceptions, but I would be surprised at this point in their maturity cycle.

[icedchai]

Most small SaaS companies, the sort I have worked for, have literally zero controls for this sort of thing. I would expect more of a 100+ billion dollar company like Shopify, but frankly I am not surprised.