Last Updated: January 18, 2022
It seems like data breaches are making it into the news more often nowadays. After being victims of one in mid-2020, Ledger’s and Shopify’s troubles don’t seem to have ended with that incident—they are now facing a class action lawsuit as a result of it. The complaint states that they “negligently allowed, recklessly ignored, and then intentionally sought to cover up” last year’s breach.
Ledger sells hardware cryptocurrency wallets. A hardware wallet (as opposed to a software wallet) stores its data offline rather than online, objectively making it a safer option. Still, the fact that you’re currently reading about a data breach shows that nothing is 100% secure. Hardware wallets offer multiple features, such as sending, receiving, storing, and trading cryptocurrencies.
Shopify is a massive ecommerce company that is partnered with Ledger and sells their wallets online. It fell victim to a data breach shortly after Ledger, hence its involvement in the lawsuit.
One Million Customers at Risk
During the period between April and June 2020, Ledger’s ecommerce database was hacked, resulting in a leak of 1 million customer e-mails as well as some personal documents. The data was breached through a third-party tool that accessed the database through an API key, and the perpetrator was discovered to be one of Shopify’s employees.
Luckily, the attack was targeted at their marketing and ecommerce database, which kept their users’ recovery phrases, private keys, passwords, and all financial information safe.
After closer investigation, Ledger revealed that besides e-mails, around 9,500 customers’ first and last names, postal addresses, phone numbers, and product(s) ordered were also exposed to the hackers. However, the number proved to be much higher—approximately 272,000 customers’ data was found on the dark web. Ledger didn’t disclose this critical development until the data showed up for sale on dark web forums in January.
The lawsuit, filed by law firm Roche Freedman with the US District Court for the Northern District of California, accuses Ledger and Shopify of mishandling the situation and attempting to cover it up.
According to the complaint, the hackers acquired “a list of people who have converted substantial wealth into anonymized cryptoassets that are transferable without a trace.” This leaves the affected customers in danger of someone manipulating and stealing their funds. It also makes them vulnerable to identity theft and the misuse of their data for online scams. To avoid being at risk, we recommend using the services of professional identity theft protection companies.
How Will the Story Unfold?
A common reaction to a scandal such as this is reimbursing the affected clients. However, that’s not currently on Ledger’s schedule.
In a December interview with Decrypt, Ledger CEO Pascal Gauthier stated, “When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible.” He believes that reimbursing the clients would kill the company.
If reimbursement would kill Ledger, then this lawsuit might just pull the trigger.