Shopify Inc. has suffered a data breach and details from about 200 merchant accounts were stolen by employees.

Reported Tuesday, the data theft involved two “rogue” Shopify support team members whom the company describes as engaged in a “scheme” to obtain customer transactions records from certain merchants. The data stolen included contact information such as emails, names and addresses as well as order details such as products and services purchased.

Affected merchants have been contacted to assist them in navigating the issue and to address any concerns.

The motivation behind the scheme was not detailed. Shopify said only that it had fired the employees and is working with the U.S. Federal Bureau of Investigation and other international agencies in their investigation of the criminal acts. That international agencies are involved could suggest that there was an international aspect to the data breach, even that the employees could have been paid by foreign criminals for the data they stole.

Regardless of the motivation, the data breach highlights the threat insiders present to companies large and small when it comes to data protection and cybersecurity.  “Many organizations have their eye on criminals attacking from outside and can often turn a blind eye to the threats that exist within,” Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “It’s therefore important that organizations build a culture of security which can reduce the likelihood of employees intentionally or accidentally causing harm.”

Shareth Ben, executive director, field engineering at security information and event management company Securonix Inc. said the incident should put a spotlight on the dangers insiders pose to an organization’s brand reputation.

“It is very difficult to spot malicious insider behavior without the right security processes and technologies deployed, but all e-commerce providers should take the steps necessary to establish effective data security controls, especially around transactional and customer/merchant information,” Ben said.

PJ Norris, senior systems engineer at cybersecurity solutions firm Tripwire Inc., added that it’s not uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups. “Hopefully, Shopify will have a monitoring system in place that will aid their security team and the FBI in analyzing which accounts have been compromised and how the incident occurred,” he said.

Image: Shopify