The hacker is likely responsible for Ledger’s security breach in July recently has dumped a large amount of data disclosing the personal information of more than 270,000 customers, including telephone numbers and physical addresses. The leak also included 1 million emails from Ledger wallet owners and customers signed up to the company’s newsletter service.
Amid the uproar caused by the incident, Ledger says the focus is on improving the security infrastructure rather than compensating users for any losses. Meanwhile, some affected customers are reportedly considering taking legal action against the company in the form of a class action lawsuit.
Ledger’s customer data breach also provides new fodder for the discussion against the implementation of more Know Your Customer compliance protocols, which critics argue such measures encourage targeted cyberattacks aimed at uncovering critical personal data.
More than 270,000 personal account information compromised
As mentioned, the hacker believed to be responsible for breaking the Ledger ecommerce database dumped the personal information of thousands of affected users online in July. The company has been blamed on social media for failing to provide better user data protection and downplaying the scope of the initial breach. At the time, the hardware wallet maker stated that only 9,500 customers were affected by the security breach.
Addressing inequality in the reported number of people affected, Ledger issued a statement on Dec. 21 stating that the leak covered more material than it could analyze earlier in the year. However, the company confirmed that customers’ money remained safe and added, “This data breach has no link or impact on our hardware wallets, the app or your money. Your crypto assets are safe. Although it is sincere regret, this breach only concerns information about e-commerce. “
In response to the incident via Twitter, Ledger CEO Pascal Gauthier noticed that the leak was indicative of the growing threat of cyber attacks. Appear on the What Bitcoin Did podcast with Peter McCormack, Gauthier noticed about the nature of the breach, stating that it was due to an error in the company’s e-commerce stack.
“It is a wrong API key encrypted on the map client to import the database from the store that was encrypted in the wrong placements and therefore encrypted where it shouldn’t have been encrypted and the database was exposed to a simple attack, “” Gauthier explained.
Amid the responses to the leak, some cybersecurity experts stressed that the incident was another indication of the lack of encryption by database administrators when storing user data. Ledger’s CEO addressed the lack of encryption of the API keys, adding that it was a fair mistake and not a deliberate attempt to compromise customer security by not hashing API keys.
Commenting on the leak, Ruben Merre, CEO of hardware wallet maker NGRAVE, noted that the incident was a reflection of the rapid growth among crypto companies at the expense of security concerns. He added, “So many online platforms are being hacked, and not necessarily because of hackers’ skill. Platforms often simply have poor security management, let alone implementation. “
Scareware and other risk factors
The data breach has sparked a new series of phishing attacks as rogue actors, now armed with the emails from Ledger users, try to trick the wallet’s customers into revealing their 24-word seed phrase. Even before the data dump, such fake emails were common.
However, the exposure of phone numbers and personal addresses may open Ledger users to more risk factors. Some users have reported attempted SIM swapping attacks on their numbers, with the hacker supposedly trying to compromise two-factor authorization protocols.
Crypto investors have been targets of sim swap attacks back in the days. In June, Richard Yuan Li was accused of conspiring to commit wire fraud in connection with a series of SIM swap attacks targeting more than 20 people.
Aside from phishing and sim swap exploits, the data breach also opens up the possibility that the risk factors may move beyond scareware into the realm of actual physical attacks. Indeed, some users affected by the incident claim to have received it threatening messages asking for payments or risk possible home invasions.
Ledger’s CEO has recognized the potential for physical attacks as a result of the company’s surveillance and has also assured users that their hardware wallet devices include various protective protocols to protect against money theft. One of these security measures is the use of incorrect PIN code entry to format devices or a second password displaying a fake account, thus protecting the owner’s actual money from bad actors.
Moreover, it is consensus Among social media security experts, consumers should use PO Box addresses or other public pick-up locations instead of their actual home address for sensitive items like a Ledger wallet. For those with compromised phone numbers, the best way seems to be getting a new number and using a new email address to communicate the change to important contacts.
As affected customers continue to deal with the fallout from the leak, Ledger says it is working to prevent future events. In a statement to Cointelegraph, the company stated:
“We are doing everything we can to stop these attacks and avoid such situations in the future. Ledger has implemented a series of measures to protect our users from falling victims of phishing attacks. We’ve set up a webpage on the anatomy of phishing attacks so that users can avoid falling for them and report new attacks. “
Affected users threaten legal action
Some affected users started advocating legal action against Ledger immediately after the reported leak. There is even a “Ledger wallet leak” subreddit on the Reddit platform, where users discuss possible modalities for a class action lawsuit.
Ledger, headquartered in Paris, is governed by the laws of the European Union. In November, the European Parliament adopted legislative changes that will allow EU customers to file class action lawsuits against companies operating in the region within the next two years.
According to the ruling at the time, once enacted into law, class action lawsuits could be brought against companies operating in the EU on matters related to, among others, financial services, tourism and data protection.
Ledger’s EU customers will require a qualified consumer protection body or other recognized entity to represent the complainants. However, unlike US law, punitive damages from class action lawsuits in the EU are limited to the actual losses suffered by the class of plaintiffs.
In addition to having customers file a lawsuit against the company, the data breach could also constitute an invasion of privacy in the eyes of European regulators, especially under the EU General Data Protection Regulation. In such situations, the EU has the option to fine Ledger up to 4% of his income.
If Ledger’s CEO admits that the company has improperly anonymized user data, the company could come under scrutiny by EU officials. Recital 26 of the GDPR mandates all companies to ensure that all information that can identify users is completely removed from their cache of stored or processed data.