Ledger and Shopify have become involved in a lawsuit over a massive data breach that resulted in the loss of 270,000 customer information between April and June 2020 .
Scam victims John Chu and Edward Baton filed a California lawsuit against cryptocurrency wallet provider and e-commerce partner Shopify on Tuesday. Here are the details of the situation.
As a reminder, hackers gained access to Ledger user data in June 2020. A month later, company employees stated that only e-commerce and marketing data, such as email addresses, were affected. However, as it turned out later, it was about personal information in the form of names and surnames, residence addresses and phone numbers. Moreover, the scale of the loss turned out to be much greater than the employees of the company initially said.
Ledger fully acknowledged the data breach on January 13th in a blog post that confirmed that user database access was the result of a Shopify hack. At the same time, company representatives tried to assure the changes regarding data storage systems, and also announced a reward of 10 BTC for information about hackers.
Prior to this, it became known that no compensation for users is expected, since they gave their consent to the use of personal data. As a result, some of the company’s clients did not like this attitude, who have now sued it.
The consequences of a Ledger data leak
The plaintiffs argue that the firms “inadvertently allowed, recklessly ignored, and then deliberately sought to cover up” the incident. The data was stolen when Shopify employee scammers accessed an e-commerce and marketing company’s database for Ledger and then sold the information on the darknet.
Here is a quote from the representatives of the prosecution, in which they voiced their own position. The replica is provided by Cointelegraph.
If Ledger had acted responsibly during this period, most of the losses could have been avoided.
This means that the company’s clients believe that the situation might not have happened if the company had taken some action. One of them could be the deletion of personal data of users after a certain period of time. This is exactly what Ledger employees promised to do after the hack. Now information about the client’s place of residence and his phone number should be deleted three months after the order was sent – at least this was stated by the company representatives earlier.
Ledger owners under attack – almost all victims of potential phishing attacks
The plaintiffs are seeking damages and “all remedies permitted by law, including injunctive relief.” In particular, Chu lost more than $ 267,000 in BTC and ETH , and Baton lost $ 75,000 worth of XLM as a result of phishing attacks that mimic the correspondence of firms.
Here it is necessary to clarify that in fact the users’ cryptocurrency was not stolen, and the scammers did not have access to it. In this case, they only used the client’s data to gain trust and get a seed phrase from a cryptocurrency address – a unique combination that allows you to access the contents of the wallet. That is, in fact, he himself provided access to the coins, although not intentionally.
The data, including full names, email, phone numbers and shipping addresses, was eventually posted to the RaidForums website in late December. The lawsuit accused Ledger, in particular, of the fact that the company did not “individually notify each affected customer or did not acknowledge the entirety of the violation.” Here is a quote.
As a result of negligent activity, Ledger clients have become victims, whose identities are known and available to every hacker in the world. Ledger’s persistently inadequate support response has exacerbated the damage.
We believe that the hacking situation really turned out to be unpleasant. However, as time has shown, hackers tried to steal cryptocurrency exclusively through deception, not violence. Nevertheless, in the latter case, they risk being imprisoned, and the fact of purchasing hardware storage does not guarantee the availability of large reserves of cryptocurrency. At the very least, the device could be bought for a gift.
Ultimately, however, the company will have to answer for its oversight. The user who has lost cryptocurrencies will hardly have to compensate for the loss, since he himself allowed them to be stolen, but the manufacturer’s reputation still suffered. Users still reply to almost any Ledger tweet and mention the incident. It will take a lot of time to fix the situation.