A proposed class action claims Ledger and Shopify “negligently allowed, recklessly ignored, and then intentionally sought to cover up” a mid-2020 data breach that allegedly exposed Ledger customers as targets for hackers.
The 43-page lawsuit out of California says hackers, from April to June 2020, exploited a database vulnerability at Ledger and e-commerce vendor Shopify and obtained a list of customers who had purchased the former’s hardware wallets for storing keys to their crypto assets. According to the suit, Paris-based Ledger initially failed to disclose the breach to customers, then downplayed the scope of the incident while proposed class members were exposed to phishing attacks, lost money, threatened with physical violence and left “feeling vulnerable in their own homes.”
“In the face of these obviously emergent circumstances, rather than acting to protect its customers, Ledger stood still,” the complaint scathes.
Despite promising to provide customers with “the highest level of security for crypto assets,” Ledger, the suit alleges, has “repeatedly and profoundly” failed to protect their identities and essentially exposed them, without warning, to targeted attacks from hackers looking to gain access to their crypto assets.
According to the complaint, proposed class members would not have purchased Ledger’s Nano X and Nano S wallets, or would have paid significantly less for them, had they been aware of Ledger’s “lax security practices and unwillingness to promptly and completely disclose data breaches.”
Defendants Ledger SAS and U.S.-based affiliate Ledger Technologies Inc. primarily sell hardware wallets designed to store the “private keys” for consumers’ crypto assets, the lawsuit states. These private keys are akin to a bank account password in that access to the keys allows an individual to transfer their crypto assets, the case explains. According to the suit, however, crypto-asset transactions require additional security given they, unlike bank transactions, are effectively nontraceable and irreversible, enabling the holder of a private key to transfer or spend an asset with impunity.
The case says Ledger purports to provide “the highest level of security for crypto assets” in that it allows consumers to store their private keys on a hardware wallet not connected to the internet. Thus, the only way a hacker could gain access to an individual’s crypto assets is by tricking them into revealing the PIN for their Ledger wallet through a phishing attempt or by physically intimidating them into revealing their PIN, the lawsuit states.
Per the suit, Ledger knows the security of consumers’ crypto assets is based on anonymity. Although crypto-asset transactions are publicly visible on the underlying blockchain, asset owners are not identifiable based on public information, the lawsuit relays. As the case tells it, Ledger’s customer list is “gold” to hackers, who can use their names and addresses to “manipulate or compel” the individuals into transferring crypto assets into the hackers’ accounts.
“With anonymity, owning a Ledger wallet is a cutting-edge method of securing crypto-assets. But without anonymity, owning a Ledger device simply creates a target for attackers,” the complaint reads, alleging the public disclosure of Ledger’s customers “puts those individuals in the crosshairs of the very hackers the company seeks to impede.”
Hackers in the middle of last year gained access to a database of Ledger customers through Shopify, the company’s e-commerce vendor, after “two rogue members” of the vendor’s support team obtained transactional data for “less than 200 merchants,” including Ledger, the lawsuit says. The suit reports that information exposed in the breach included the names, physical addresses, phone numbers and order information of over 270,000 Ledger customers.
This information was then made visible “to every hacker in the world” after one of the actors posted the data on the dark web, according to the lawsuit.
Per the case, Ledger initially attempted to cover up the data breach until last December, when the hacked customer list was posted publicly “and became widely available.” In a December 21 message posted on its website, Ledger noted that the company “very deeply regret[s] this situation,” and acknowledged that because of the breach, “many [Ledger customers] have been targeted by e-mail and SMS phishing campaigns and that it’s clearly a nuisance,” the complaint relays.
Following the breach, Ledger customers, the case says, became the subject of targeted attacks, including phishing emails that were made to look like official Ledger communications. The complaint cites an online post from a customer who reported receiving a call from a man who threatened to kidnap the individual and harm their family if they didn’t pay a cryptocurrency ransom. The caller allegedly admitted that he knew the individual had purchased a Ledger wallet because their “information has been leaked on the dark web.”
The lawsuit charges that Ledger and Shopify’s failure to protect customers’ data has “made targets of Ledger customers” while their “persistently deficient response compounded the harm.” Per the suit, a “prompt and full disclosure to all customers” of the breach would have mitigated some of the damages.
“Before the breach, Ledger should have regularly deleted or archived customer data or should have otherwise protected that information from online accessibility,” the complaint says. “After the breach, Ledger repeatedly failed to provide critical information to its customers, compounding the harm to Plaintiffs and the Class.”
The case alleges violations of both California and Georgia state laws, as well as negligence on the part of Ledger and Shopify.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.