A 2020 data breach in which hackers accessed information for over a million Ledger users is once again at the heart of a class-action lawsuit. This time, the plaintiffs are going after Canadian e-commerce giant Shopify in connection with its role in the breach.
Between April and June 2020, attackers were reportedly able to access Ledger’s online store on which customers order their hardware wallets. They managed to access and steal personally identifiable information for over 270,000 users who had made an order for a Ledger wallet. They also accessed information on over one million other users who had subscribed to the company’s newsletter.
Ledger users have now filed a fresh class-action lawsuit against Shopify and TaskUs, an outsourcing company that provided customer support services for Shopify.
The lawsuit accuses the two companies of “failure to exercise reasonable care in securing and safeguarding consumer information in connection with a massive 2020 data breach impacting Ledger.” It claims that the data breach led to the public release of personally identifiable information (PII) that includes full names, email addresses, postal addresses, and telephone numbers.
As the plaintiffs observe, while blockchain transactions are publicly visible, they can’t be traced back to an individual without more information. The breach made this information available to the world, making Ledger customers easy targets for scammers who have been targeting them with phishing campaigns ever since.
“Customers lost money in phishing attacks and faced threats of physical violence or blackmail if they did not transfer crypto-assets to criminals around the world. Using the customer shipping addresses that Shopify and TaskUs failed to protect, hackers threatened to enter Ledger customers’ homes and assault them if they did not provide payment,” the lawsuit alleges.
While the data breach was bad enough, Ledger and Shopify made it worse by handling it in the worst possible way. Ledger at first denied the breach until December 2020, when the hackers published the data publicly. Even then, it claimed that less than 10,000 customers had been affected, only to retract its statement after more data was published publicly.
The plaintiffs are asking the District Court of Delaware for an award of actual damages, compensatory damages, statutory damages, and statutory penalties, among other punitive measures.
This isn’t the first class-action lawsuit against Shopify and Ledger for the data breach. In April last year, the first lawsuit was filed in California, claiming that the two “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the breach.
Watch: CoinGeek New York panel, Investigating Criminal Activity on the Blockchain
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.