A group of Ledger users has filed a class-action lawsuit in the United States District Court of Delaware against Global e-commerce platform Shopify, its third-party data consultant TaskUs as well as the hardware wallet maker itself.
According to the official document, the plaintiffs accused Shopify and TaskUs of their “failure to exercise reasonable care in securing and safeguarding” user data connected to the 2020 data breach that affected Ledger SAS crypto wallets.
The complaint read that the breach resulted in the unauthorized public release of around 272,000 pieces of personal information such as name, email ID, postal address, and telephone numbers.
The plaintiffs claimed that both Shopify and TaskUs were reportedly aware of the data leak for more than a week before notifying customers of the hack. Between April-June 2020, attackers exploited Ledger’s database via Shopify and TaskUs and obtained the list of the former’s customers’ PII. By the end of June, the victims’ data had been traded on the black market, which left them vulnerable to phishing attacks.
Ledger, which is also being accountable for repeated promises and global advertising campaigns touting its security, had initially denied the breach. By December 2020, the extent of the exploit worsened when the hacker published Ledger’s customer list online from Shopify.
Apart from phishing attacks. the victims also faced threats of physical assault and blackmail if they failed to transfer their funds to the criminals. It was then, the plaintiffs alleged, that the French hardware wallet company sent some of its customers affected by the data breach an email informing them for the first time that their PII was leaked.
The complaint also claimed that Ledger used Shopify to operate its website’s online store, due to which the latter had direct access to the personal information of users on Ledger’s database. Shopify uses TaskUs as a third-party contractor to provide customer support services and hence had access to the said customer data.
This isn’t the first time that Ledger and Shopify have been sued for a data breach that alleged several Ledger users lost their crypto assets in phishing attacks after their personal data got leaked.
However, the California court ruled in favor of Shopify and Ledger’s motion to dismiss the lawsuit in November last year. Judge Edward Chen stated that the US-based court does not have jurisdiction over the two entities since they are headquartered in Canada and France.
Earlier this week, another cryptocurrency wallet company, Trezor, confirmed that its users were targeted in MailChimp exploit. It was now investigating the email phishing campaign wherein the hackers sent fake notifications of data breaches after compromising a mailing list.