Shakepay has taken proactive steps to inform its customers following a recent data breach that impacted a small segment of its user base. On December 29, 2023, the company shared updates from its ongoing investigation, reinforcing its commitment to transparency.
The scope of the data breach spans a timeline from March 22, 2023, to December 13, 2023. During this period, a malicious actor extracted personal details of select customers, utilizing two separate data sets. "The first data set came from our internal platforms," the company stated, detailing information such as names, email addresses, dates of birth, and transaction activity that may have been accessed. Customers impacted were directly notified via email on December 14, along with updates on the company's blog and social media.
"The first data set came from our internal platforms,"
The second data set was accessed through a third-party customer communications platform between December 10 and 13. This data accessed comprised names, emails, and account event details, but did not include sensitive information like account balances or personal identifiers such as phone numbers and addresses. An email alerting potentially affected customers of this breach went out on December 29.
"All customers affected by this data incident have been contacted directly," the company confirmed, assuring them that sensitive credentials and financial accounts remained secure throughout the incident.
"All customers affected by this data incident have been contacted directly,"
Upon detecting suspicious activity on an employee’s work device on December 13, Shakepay's security team promptly initiated an investigation. The response involved locking, deauthorizing, and offboarding the compromised device. The affected employee was suspended as the investigation continued. "We acted swiftly, adhering to our incident response protocol," the company noted.
"We acted swiftly, adhering to our incident response protocol,"
Impact and Legacy
By December 14, Shakepay was able to confirm the identity of impacted customers through internal monitoring systems, and, as a precaution, temporarily disabled withdrawals for certain clients. A heightened verification process was then introduced on December 22, allowing affected customers to regain access once completed.
Impact and Legacy
Eventually, logs provided by the third-party platform confirmed a broader list of those potentially impacted, a process that took longer due to reliance on external cooperation. Following these developments, the company terminated the employee responsible for the breach due to violation of internal security policies.
In response to the incident, Shakepay has taken significant measures to improve customer support and security. "We’ve increased customer support representatives by 35% since December 13 to help improve our customer service response time," said Shakepay. "We’re continuing to invest heavily in improving our customer service, and customers can expect significant improvements over the coming months."
"We’ve increased customer support representatives by 35% since December 13 to help improve our customer service response time,"
The company has also implemented upgraded internal monitoring systems to detect such incidents earlier and introduced additional verification steps for users making significant financial transactions. “Certain customers will now be required to re-verify their accounts with face authentication when performing these activities,” they explained.
Impact and Legacy
Despite this incident, Shakepay emphasized that their internal controls, such as employee background checks and layered access permissions, helped mitigate the impact. They encouraged customers to remain vigilant and report any suspicious activities, highlighting the importance of recognizing potential phishing attempts. "As always, we’d like to continue to encourage customers to be aware of signs of suspicious activity and monitor for potential phishing attempts," the company advised.
"As always, we’d like to continue to encourage customers to be aware of signs of suspicious activity and monitor for potential phishing attempts,"
Shakepay's data incident represents a critical moment in the company's operational transparency efforts. While the breach has created immediate challenges, the measures taken to fortify security infrastructure also allow for a long-term commitment to safeguarding customer data in the future.