The hacker likely responsible for Ledger’s security breach in July recently dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses. The leak also included 1 million emails of Ledger wallet owners and customers that were signed up to the company’s newsletter service.
Amid the furor caused by the incident, Ledger says its focus is on improving its security infrastructure rather than reimbursing users for any losses that may occur. Meanwhile, some affected customers are reportedly considering taking legal action against the company in the form of a class-action lawsuit.
The Ledger customer data leak also offers fresh fodder for the debate against implementing more Know Your Customer compliance protocols, critics of which argue that such measures encourage targeted cyber attacks aimed at exposing critical personal data.
Over 270,000 personal account details compromised
As mentioned, the hacker presumably responsible for breaching the Ledger e-commerce database back in July dumped the personal information of thousands of affected users online. The company was blamed on social media for not providing better protection of user data and downplaying the extent of the initial breach. At the time, the hardware wallet maker declared that only 9,500 customers were affected by the security breach.
Addressing the disparity in the reported number of people affected, Ledger issued a statement on Dec. 21 declaring that the leak covered more material than it was able to analyze earlier in the year. However, the company affirmed that customer funds remained safe, adding: “This data breach has no link nor impact on our hardware wallets, the app or your funds. Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only e-commerce related information.”
Responding to the incident via Twitter, Ledger CEO Pascal Gauthier remarked that the leak was indicative of the growing threat of cyberattacks. Appearing on the What Bitcoin Did podcast with Peter McCormack, Gauthier commented on the nature of the breach, stating that it was the result of a mistake in the company’s e-commerce stack.
“It’s a wrong API key that got coded on the map client to import the database from the store that got coded in the wrong placements and so, therefore, was coded where it should not have been coded and exposed the database to a simple attack,” explained Gauthier.
Amid the reactions to the leak, some cybersecurity experts highlighted that the incident was another pointer to the lack of encryption deployment by database administrators in storing user data. The Ledger CEO addressed the lack of encryption on the API keys, adding that it was an honest mistake and not a deliberate attempt to jeopardize customer safety by failing to hash API keys.
Commenting on the leak, Ruben Merre, CEO of hardware wallet maker NGRAVE, remarked that the incident was reflective of rapid growth among crypto firms coming at the expense of security considerations. He added: “So many online platforms get hacked, and not necessarily because of the hackers’ skill. Often, platforms just have bad security governance, let alone implementation.”
‘Scareware’ and other risk factors
The data leak has triggered another round of phishing attacks as rogue actors, now armed with the emails of Ledger users, attempt to trick the wallet’s customers into revealing their 24-word seed phrase. Even before the data dump, such phony emails were a regular occurrence.
However, the exposure of phone numbers and personal addresses potentially opens up Ledger users to more risk factors. Some users have reported attempted SIM swapping attacks on their numbers with the hacker presumably trying to compromise two-factor authorization protocols.
Crypto investors have been targets of SIM swap attacks in the past. Back in June, Richard Yuan Li was charged with conspiracy to commit wire fraud in connection with a series of SIM swap attacks that targeted over 20 individuals.
Apart from phishing and SIM swap exploits, the data leak also opens up the possibility of the risk factors moving beyond scareware into the realm of actual physical attacks. Indeed, some users affected by the incident claim to have received threatening messages asking for payments or risk possible home invasions.
The Ledger CEO has acknowledged the possibility of physical attacks as a result of the company’s oversight, and has also assured users that their hardware wallet devices contained several protective protocols to safeguard against the theft of funds. Among these security measures is the use of incorrect pincode entries to format devices or a second password that displays a dummy account, leaving the owner’s actual funds safe from bad actors.
Additionally, the consensus among security experts on social media is that consumers should be using post office box addresses or other public pickup locations instead of their actual home addresses for sensitive items like a Ledger hard wallet. For those with compromised phone numbers, the best line of action appears to be getting a new number and using a new email address to communicate the change to important contacts.
While affected customers continue to deal with the fallout of the leak, Ledger says it is working to prevent future occurrences. In a statement to Cointelegraph, the company stated:
“We are doing everything in our power to cease these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victims to phishing attacks. We have set up a webpage sharing the anatomy of phishing attacks so users can avoid falling for them and report any new attacks.”
Affected users threaten legal action
Some affected users began advocating for legal action against Ledger immediately following the reported leak. There is even a “Ledger wallet leak” subreddit on the Reddit platform, where users are discussing possible modalities for a class-action lawsuit.
With its headquarters in Paris, Ledger falls under the laws of the European Union. In November, the European Parliament adopted legislative amendments that will allow EU customers to institute class-action lawsuits against companies operating in the region within the next two years.
According to the ruling at the time, once passed into law, class-action lawsuits can be filed against companies operating in the EU for cases involving financial services, tourism and data protection, among others.
Ledger’s EU customers will require a qualified consumer protection body or some other recognized entity to represent the complainants. However, unlike U.S. laws, punitive damages from EU class-action lawsuits are restricted to the actual losses incurred by the class of plaintiffs.
Apart from customers filing a lawsuit against the company, the data leak might also constitute a breach of privacy in the eyes of European regulators, specifically under the EU General Data Protection Regulation. In such situations, the EU has the ability to fine Ledger up to 4% of its revenue.
Indeed, with the Ledger CEO having admitted to the company anonymizing user data improperly, the company could come under scrutiny from EU officials. Recital 26 of the GDPR mandates all companies to ensure complete removal of all the information that can identify users from their cache of stored or processed data.