Ledger and Shopify have been hit by a class action lawsuit over a major data breach that saw the personal data of 270,000 hard wallet customers stolen between April and June 2020,
Phishing scam victims John Chu and Edward Baton filed the lawsuit in California against the crypto wallet provider and its e-commerce partner Shopify on April 6.
The Plaintiffs alleged that the firms “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The data was stolen when rogue employees of Shopify accessed the company’s e-commerce and marketing database for Ledger, with the hackers then selling the data on the dark web.
“Had Ledger acted responsibly during this period, much of that loss could have been avoided,” they claim.
The pair are seeking redress for the damages caused by the breach, requesting “all relief allowed by law, including injunctive relief.” Chu lost $267,000 worth of BTC and ETH, and Baton lost $75,000 worth of XLM in phishing scams that impersonated correspondence from the firms.
The data, spanning full names, email, phone numbers, and shipping addresses, was eventually posted on the website RaidForums in late December. The lawsuit accuses Ledger in particular of failing to “individually notify every affected customer or admit to the full scope of the breach.”
“Ledgers and Shopify’s misconduct has made targets of Ledger customers, with their identities known or available to every hacker in the world. Ledger’s persistently deficient response compounded the harm. In failing to individually notify every affected customer or admit to the full scope of the breach.”
While it has yet to be proven if the firm knew the full scope initially, it published a blog post in July 2020 stating that 9500 users had their data leaked at the time.
Ledger fully acknowledged the data leak on January 13, in a blog post that confirmed that access to their user database had been a result of the Shopify hack, while announcing changes to how they store data, communicate with customers, and also offered a 10 BTC bounty fund for information leading to successful arrest and prosecution of the hackers.