In brief
- Ledger revealed today that a data breach left vulnerable some 1 million emails and personal information for 9,500 of its customers.
- Benoit Pellevoizin, VP of Marketing at Ledger, joined Matthew Aaron on The Decrypt Daily to discuss the fallout of the hack and Ledger’s response.
- While the company does not plan to compensate victims, Ledger is exploring ways to improve its security.
Benoit Pellevoizin, the VP of Marketing at Ledger, joined Matthew Aaron for the latest episode of The Decrypt Daily to discuss the details of its recent data leak and what the hardware wallet company will do to address the breach and prevent similar ones in the future.
Earlier today, Ledger revealed that its ecommerce database was hacked last month after an attacker gained access to the database via a faulty third party API key. The breach resulted in the hacker gaining access to some 1 million email addresses, as well as personal information on another 9,500 users. These users spanned the globe, Pellevoizin confirmed.
Pellevoizin confirmed on the show that the “detailed personal information” which was exposed included “postal addresses, names, surnames, [and/or] phone numbers.” The logged data comes from shipping information customers provided upon purchasing Ledger’s products.
When asked what the hackers plan to do with this information, Pellevoizin said that Ledger “suspects that it’s about phishing attempts.”
“Basically, with emails, they can target our clients to impersonate Ledger to ask them for their seed phrase to gain access to coins...we never ask that,” Pellevoizin added. (A seed phrase is a 12 or 24-word phrase which, in the context of Ledger, is produced on the hardware wallet itself which is never revealed to Ledger or an external device upon setup).
Ledger has already emailed affected customers, Pellevoizin said, and they plan to send detailed emails for the 9,500 affected individuals who had their personal information stolen in the breach. He added that Ledger is not planning on providing reparations or any form of compensation to affected users while the investigation is ongoing with French authorities.
To protect against such API key breaches in the future (of which, host Matthew Aaron pointed out, there have been several inside and outside the crypto realm, such as the 7,000 BTC hack Binance suffered last year), Pellevoizin suggested more rigorous penetration testing is needed.
He also said that Ledger “is taking steps towards meeting the requirements for an ISO 27001 certification,” an international framework for managing information security management systems. This security certification, and the security robustness that it purports to uphold, “is key” to protecting data from breaches like this one, Pellevoizin said.
To hear the full interview and Pellevoizin’s responses to the situation, subscribe on iTunes to The Decrypt Daily for this and more takes and talks on the important news that’s shaping the world of cryptocurrency and blockchain technology.