On Wednesday, September 23, 2020, we notified our customers of an incident involving customer order information that happened on Shopify, our third-party website hosting platform, and the actions that are being taken to support you. We care deeply about our customers and your security. Below, we are sharing additional tools and information that we hope will help support you.
How did this happen?
On Monday, September 21, Shopify told us about a data incident on its platform that caused a possible disclosure of customer personal information. Shopify is a third-party ecommerce platform that hosts our website. Shopify's investigation determined that two rogue members of its support team were engaged in a scheme to obtain customer transactional records of certain merchants. Shopify told us that the information may have included names, addresses, emails, product orders, BIN number, and the last four digits of credit cards but it did not include full credit card information or account passwords.
Thrive Causemetics was not the only company impacted by this incident. Because of that, you may receive notifications from other companies you’ve shopped with online that also use the Shopify platform. Shopify has assured us that they have made changes to ensure this does not happen again and to further protect our customer data going forward. You can read their current public statement here.
What information exactly was shared?
Shopify told us that the information potentially included name, billing address, shipping address, email address, phone number, BIN number, last 4 digits of payment card, and details about any products or services purchased, but it did not include complete credit card information or other sensitive personal or financial information. You may be receiving notifications from other companies you’ve shopped with online who also use the Shopify platform and who may have been impacted by Shopify’s incident. Again, Shopify has assured us that full payment card information and account passwords were not included.
What is Thrive Causemetics doing to make sure this doesn’t happen again?
Trust and transparency are important to us, and we want to make sure our customers know exactly what happened and what we’re doing to prevent this from happening again. The source of this incident was entirely within Shopify, and we are working with their team to address opportunities for enhanced security protocols and to make sure this does not happen again. The feature within their platform that was utilized in this action has been removed.
Is it safe to place orders on thrivecausemetics.com now?
As a customer, what actions can I take to protect myself?
While your personal information may have been impacted, Shopify has assured us that full payment card information and account passwords were not included, and so the likelihood of fraudulent transactions or identity theft is low. As a proactive step, we advise that you monitor your online accounts and bank statements closely. Should you notice any unsanctioned charges, please take appropriate action with your bank or credit card company.
Even if you do not find any suspicious activity on your initial credit reports, we and the FTC recommend that you check your credit reports periodically. Checking your credit reports periodically can help you spot problems and address them quickly.
To obtain this information you can contact the following agencies: Equifax, TransUnion, and Experian. Here are a few resources below through those agencies that allow you to put a security freeze on your accounts to prevent new accounts from being opened in your name.
- Equifax- https://www.equifax.com/personal/credit-report-services/credit-freeze/
- TransUnion- https://www.transunion.com/credit-freeze
- Experian- https://www.experian.com/freeze/center.html