In brief
- Crypto wallet provider Ledger was hacked last year.
- Emails, personal documents, and customer data were compromised.
- Now, Ledger and its partner Shopify are facing a class action lawsuit.
Customers of the cryptocurrency wallet provider Ledger are suing over a massive data breach.
The initial complaint, filed with the US District Court for the Northern District of California, alleges that Ledger and Shopify (an e-commerce platform that’s partnered with Ledger) “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the breach. Any damages awarded to the plaintiffs would be determined at trial, should the lawsuit get that far.
Ledger sells hardware wallets, which are physical storage devices that let you hold crypto offline; the idea is that they’re less vulnerable to attacks than crypto stored on the internet.
Last July, the company announced that hackers had acquired 1 million customer emails from its servers, along with a list of associated email addresses. No funds were stolen, but users say that the exposed list of customer identities is potentially just as bad.
“To the world of hackers, Ledger’s customer list is gold,” explains the complaint. “It is a list of people who have converted substantial wealth into anonymized crypto-assets that are transferable without a trace. Using that list, hackers can manipulate or compel those owners to make untraceable and irreversible transfers of the crypto-assets into the hackers’ accounts. The stakes of security for crypto-assets are thus enormous.”
In response to Decrypt's request for comment regarding the lawsuit, Ledger General Counsel Antoine Thibault said the company "does not comment on ongoing legal issues." Thibault added: "Ledger would however like to take this moment to remind our customers, yet again, never to divulge their 24 words and validate the identity of the recipient of your transactions. You are in sole and total control of access to your funds."
In an interview with Decrypt last year, Ledger CEO Pascal Gauthier said he didn’t plan to compensate customers in the wake of the hack.
“When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible,” he said at the time. “It would just kill the company.”
If customers get their way, Gauthier may not have a choice.