Report Security issues
1. Immediate Incident Response Plan
If you suspect a security issue (e.g., unauthorized access, malware, or a data breach), follow these steps:
| Step | Action | Priority |
| Isolate | Temporarily disable or password-protect your store's public-facing access to prevent further data loss or damage. | HIGH |
| Secure Credentials | Immediately change the passwords for your Shopify admin, any third-party apps, and the email associated with your store. Use strong, unique passwords. | HIGH |
| Notify Shopify | Contact Shopify's security team directly through their official support channel. They can investigate platform-level issues and lock down your account if necessary. | HIGH |
| Backup | If possible, take a backup of your store's data before making any changes for forensic purposes. | MEDIUM |
| Document | Record the date, time, and nature of the suspected issue. Note any suspicious files, login attempts, or error messages. | HIGH |
2. Reporting to Shopify (The Primary Channel)
Since your store is built on Shopify, they are your first and most critical point of contact for security vulnerabilities affecting your platform.
-
Vulnerability Reporting: Use Shopify's official channel for reporting security vulnerabilities (often called a Bug Bounty Program or Responsible Disclosure Program). This is the correct way to report issues you find in the platform itself.
-
Customer Support: For immediate threats like unauthorized charges or admin access, contact Shopify Support immediately via live chat or phone.
3. Reporting to Legal/Regulatory Bodies
As your store operates under UK Law, you have legal obligations if the security issue involves customer data:
| Area | Body to Notify | When to Notify |
| Data Breach | Information Commissioner's Office (ICO) (UK Data Protection Authority) | Within 72 hours of becoming aware of the breach, if the breach is likely to result in a risk to people's rights and freedoms. |
| Customer Notification | All affected customers | Without undue delay, if the breach is likely to result in a high risk to their rights and freedoms. |
| Fraud/Police | Action Fraud (UK's national reporting centre for fraud and cyber crime) | If the incident involves financial loss or criminal activity. |
4. Standard Security Issues Report Template
Use this structure to document and report the incident internally and to third parties (like Shopify).
| Section | Detail to Record |
| Incident Title | Example: Unauthorized modification of checkout files |
| Date/Time of Discovery | [Date] at [Time] (Specify time zone, e.g., GMT) |
| Scope of Impact | What was affected? (e.g., Customer data, Product prices, Shopify admin, Payment gateway, etc.) |
| Type of Attack | (e.g., Malware, SQL Injection, Phishing, Unauthorized Login, DDoS, etc.) |
| Affected Data | State clearly: Personal Identifiable Information (PII) of customers, financial data, or store inventory. |
| Observed Symptoms | (e.g., Admin email changed, unusual orders, unexpected code on homepage, etc.) |
| Actions Taken | (e.g., Passwords changed, IP blocked, Shopify support contacted, Two-Factor Authentication enabled) |
| Contact Person | [Your Name], [Your Role], [Your Phone/Email] |