Kylie Cosmetics LLC, the cosmetic company founded by Kylie Jenner of “Keeping Up with the Kardashians” fame, has disclosed that customer information was stolen as part of the data breach of Shopify Inc. last week.

The Shopify data breach involved two “rogue” employees being involved in a “scheme” to obtain customer transaction records from certain merchants. The data stolen included contact information as well as order details such as products and services purchased. Who the merchants were was never disclosed by Shopify.

In a notice to customers published by TMZ, Kylie Cosmetics said that it was “working diligently with Shopify to get additional information about this incident.” The notice states that the incident affected names, addresses, emails, product orders and the last four digits of customers. “Shopify has assured us that the customers’ full payment details… were not compromised in the incident,” the notice added.

Founded in 2015 under the name of Kylie Lip Kits, the company was valued at $900 million in March 2019 with a 51% stake in the company acquired by Coty Inc. for $600 million in November.

That a high-profile brand with a valuation of more than $1 billion has been caught up in a data breach that involved employees at a third-party supplier once again raises concerns.

“When a business engages with a third party to operate a critical portion of their business … the business is effectively transferring risk and obligations to the provider while accepting risk in return,” Tim Mackey, principal security strategist, Cybersecurity Research Center at electronic design automation company Synopsys Inc. told SiliconANGLE.

“In this case, the risk accepted by Kylie Cosmetics and the roughly 200 other impacted Shopify businesses was that Shopify has effective controls in place to limit employee access to storefront customer data,” he added. “While there is always a level of risk from an insider attack, when the insider is an employee within your digital supply chain, managing that threat can become complicated. This is why audit and access controls are key to any cybersecurity strategy.”

Lamar Bailey, senior director of security research at cybersecurity firm Tripwire Inc., noted that insider threats often get little attention. “Support engineers are often an entry-level job so it is easier for someone to infiltrate the organization at this level,” he said.

“A bad actor looking to gain company data can easily use a fake identity to secure a job and then use this position as a launching point for gathering data to sell on the black market,” Bailey added. “It is imperative that organizations have security controls in place users, access and file monitoring to look for employees accessing systems, code, or data they do not need access to. A stance of least privilege for everyone is the best policy.”

Photo: Mike Mozart/Flickr