A security breach exposed the personal data of customers of the Spanish sex toy store Platanomelón. In this context, the Names, surnames, emails, address, telephone numbers and products purchased by each client have been compromised.
The breach punctually affected the e-commerce site Shopify which is the site through which Platanomelon markets its products. The incident was not caused by a technical vulnerability of the platform but by the actions of two Shopify employees.
“Our investigation determined that two rogue members of our support team were involved in a scheme to obtain customer transaction records from certain merchants.. We immediately terminated these people’s access to our Shopify network and referred the incident to the police, ”they reported from Shopify when they disclosed this incident, in September 2020.
On that occasion, it was reported that this situation had affected 200 shops using Shopify but only on December 30 Platanomelón learned that it was one of those places.
After the information theft became known, Shopify and local authorities in the United States launched an investigation. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts”; communicated at the time. This incident was also reported to the Spanish Agency for Data Protection.
“Those whose stores were accessed illegitimately may have had customer data exposed”Shopify reported at the time. Notably no credit card details or financial information was leaked, as explained. The only compromised data was those mentioned above. However, this does not detract from the relevance of the fact because it is personal data that could be used by cybercriminals to extort money from their victims.
Payment in cryptocurrencies is usually requested in exchange to avoid the dissemination of personal and sensitive information. In this sense, it must be remembered that in such a situation, specialists recommend not giving in to pressure and make the report immediately.
At the moment no incidents of this type have been reported in relation to the leaked information, but the truth is that many times this data circulates for a long time in the dark web until someone decides to use them to commit this type of extortion.