"In accordance with Canadian law, we promptly notified all affected merchants," a spokeswoman for the company wrote in an email.
"We have subsequently provided information regarding the incident to the
Earlier Wednesday, the commissioner's office said it hadn't yet received a report about the breach.
"Our office is reaching out to Shopify, given the potential seriousness of the breach, to request more information about the matter,"
Under the Personal Information Protection and Electronic Documents Act, it is mandatory for companies to report breaches to the privacy commissioner's office, "where it is reasonable to believe that the breach creates a real risk of significant harm to an individual," Pilieci said.
Shopify spokeswoman
On Tuesday, the
"We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the
"While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant."
The customer data the employees were accessing was linked to fewer than 200 merchants, who Shopify has declined to identify but says have been notified.
The improperly accessed data includes basic contact information such as emails, names and addresses, as well as order details, such as what products and services were purchased.
Shopify said complete payment card numbers and other sensitive personal or financial information were not part of the breach and it has yet to find evidence that any of the data was used.
This report by
Companies in this story: (TSX:SHOP)
© 2020 The Canadian Press. All rights reserved., source