E-commerce and Marketing data breach - FAQ

On July 14, a researcher contacted us through our bounty program to inform us of a data breach on our e-commerce and marketing database. We immediately fixed the data breach and launched internal investigations. We found that the exposed data was subject to unauthorized access. Your funds are safe.

On December 20, we were informed about the dump of the content of a Ledger customer database. We are still investigating, but early signs tell us that this indeed could be the contents of our previously breached e-commerce database.

On December 23, we were notified by Shopify, our e-commerce service provider regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s.

Please find answers to frequently asked questions below. Details about the data breach, refer to our blog post and for the Shopify incident refer to this article.

Are my personal details (name, address, phone number) compromised?

After we discovered the breach in July, we’ve sent an email to all 9500 affected customers for whom the logs we have allowed us to ascertain that personal details were leaked. If you did not receive this email at this time, we had no evidence your personal data was leaked other than your email address.

After we were made aware of the dump of December 20, it became clear that a larger subset than the initial 9500 customers had their personal data exposed. We have sent an email to all the customers in this subset (~272,000 individuals). If you were part of this detailed personal information subset, you have received a specific email notifying you on December 21st, 2020.

On January 13, we communicated to the approximately 292.000 customers impacted by the Shopify breach. If your data has been compromised through this Shopify data breach you have been notified by email- the title of the email is “SECURITY NOTICE: Ledger included in Shopify database breach” and it was sent on the 13th of January 2021 around 4 PM - CET.

What happened with the data breach reported in July 2020?

An attacker gained access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and order data.

Who is the third party solution? Why were they processing customers’ data?

Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters.

Since when does this issue exist?

The third party API key misconfiguration at issue has been running since August 9th, 2018. Based on the evidence and log we have, we believe it was discovered and exploited from April 2020 to June 28th, 2020. 

What happened with Shopify?

On December 23, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.

Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.

If you purchased a Ledger product after the end of June, 2020, or if you purchased your product outside of Ledger.com, your data was not exposed in these incidents.

What type of data was compromised from Ledger's customer database?

In both breaches, the information exposed relates to e-commerce and marketing databases. It contains emails, first and last names, phone numbers, and postal addresses, as well as the type of product purchased.

It does not include credit card information.

We now know that approximately 1M email addresses were leaked along with approximately 292,000 personal information records such as first and last name, phone number, postal address, and products purchased.

Why did you communicate on 9.500 personal details, and not 272.000?

The determination of the number of personal details (name, physical address, phone number) that was made in July 2020 was based on the forensic analysis of our third-party security consultancy who has advised there was only evidence of 9,500 impacted persons. We have acted swiftly and with the best knowledge that was available to us at the time. We can now verify from the published database that detailed information (name, postal address, phone number) of about 272000 users was obtained.

Was the data breach fixed?

Regarding the data breach discovered in July: As soon as we discovered the data breach in July, this data breach was fixed within the same day, the API key was deactivated.

Regarding the Shopify data breach: Since becoming aware of the incident, Shopify immediately suspended the individual’s network access, confiscated the individual’s laptop, and engaged digital forensics experts and counsel to continue their investigation.

We are doing everything possible to make Ledger stronger for the future. We have hired a new Chief Information Security Officer (CISO). We are further hardening our already strong systems. We executed penetration tests and forensic analysis with external security firms to test these and find any additional vulnerabilities on our e-commerce systems. 

We are continuously working with law enforcement to prosecute criminals We have notified the French data protection authority regarding the data breaches and are working with other data protection authorities across the world.

Are customer funds impacted?

No. Payment information, credentials (passwords), or crypto funds were not impacted. This data breach has no link nor impact on our hardware wallets and the Ledger Live application. Your crypto assets are safe and are not in peril.

Our security model prevents attackers from accessing any sensitive information related to our hardware devices like recovery phrases and private keys. Users are in complete control and the only ones able to access this information.

What about “non-public identification info” like bank account numbers, social security details?

As stated in our Privacy Policy, we never request or hold that information.

Is customer data handled in-house or by a third-party vendor?

In accordance with our Privacy Policy, as a data controller, we may transmit some of your data to third parties such as payment service providers (PSPs) infrastructure, logistics, and other services providers, within applicable contractual and legal frameworks. 

Have there been any ransom demands?

We have been made aware of some ransom demands. We believe this to be another global scam attempt as the same message is being sent by email and SMS in different languages. We continuously monitor the campaign on a dedicated page.

What remedial measures is Ledger taking to resolve this?

  • We have fixed the data breach immediately
  • We have investigated the data breach immediately, both internally and with external forensic experts (Orange Cyber Defense) to discover any unauthorized access to our customer data from a third party
  • We have informed the French Data Protection Authority of the data breach and updated them on the situation.
  • We have informed our customers.
  • We have filed a formal criminal complaint with the French Public Prosecutor and are updating it with new information.
  • We performed penetration testing internally and we are pushing forward the external penetration testing that was originally planned for September 2020.
  • We have periodic internal audits planned on our data retention policies to ensure continued compliance with Applicable Laws.
  • We are extending to e-commerce the scope of our security and organizational program, originally focusing on our Products (HW & Vault). We are taking steps towards meeting the requirements listed in ISO 27001.

Can the info obtained by the hackers bypass Two-Factor Authentication (2FA) measures?

No. Our e-commerce website doesn’t retain any login/password information since 2FA is not relevant regarding our security scheme. 

Are any customers reporting physical extortion?

Not to our knowledge. Neither recently nor in the past but some of the scams involve the threat of physical violence. If you receive such a threat, please contact local law enforcement authorities immediately. You may also report the threat to us on this page for inclusion in our investigation. Please know Ledger was designed with threat of physical attacks in mind, see the best practices for advanced security measures for instructions on how to protect yourself and stay vigilant. We continuously monitor the campaign on a dedicated page.

We recommend to our customers worried about that eventuality to consult our best practices for advanced security measures and to keep in mind that in case of an emergency typing 3 times the wrong PIN code will reset your device.

Why did Ledger wait for more than a week to communicate publicly about this marketing and e-commerce data breach?

We wanted to have all data necessary and we needed to perform legal compliance first.

We immediately fixed the issue and launched an internal investigation to evaluate the scope of the violation. We also investigated with Orange Cyberdefense to assess the extent of the breach, we received the OCD initial report on the 24th of July.

We notified this data breach the French Data Protection Authority, the CNIL, in compliance with the applicable laws.

Does Ledger comply with GDPR?

Ledger’s goal is even beyond simple compliance with GDPR and other data protection regulations.  Within 3 days of the discovery of the data breaches, Ledger reported the information to the French Data Protection authority and has been provided updates as they became available. Ledger is also working and communicating openly with other data protection authorities. 

Ledger’s privacy team is also mobilised to respond and manage any privacy-related queries that customers may send us. If you have a specific request about your data (access, erasure….) please send us an email at privacy@ledger.fr.

Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. To go over and beyond what is required by GDPR, We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.

What can I do to protect my data moving forward?

Beware of phishing attempts that would impersonate Ledger to request your recovery phrase. Ledger will never ask you for the 24 words of your recovery phrase, not even in Ledger Live, and Ledger will never contact you via text messages or phone call.

Should you want to improve the security of your recovery phrase we recommend you consult our best practices for advanced security measures and that you keep in mind that in case of an emergency typing 3 times the wrong PIN code will reset your device.

What security measures were in place to protect our Personal Information?

In order to ensure the integrity and confidentiality of your personal data, we implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data throughout our services.
More details about the security measures implemented are available in our Privacy Policy.
We notably implement the following security measures, among others:

  • Payment Data security: If you provide us with credit card information, such information is encrypted using a secure Internet Trade Protocol (TLS) and sent directly to our Payment Service Provider (PSP). This information is never stored on our server.
  • Awareness program and employee trainings
  • Data encryption in transit and at rest
  • Data centers routinely audited
  • Data redundancy for resilience in case of disasters
  • Role-based authentication
  • Two-factor authentication of our authorized employees
  • Continuous system monitoring
  • Industry-standard security evaluations
  • Independent third-party security reviews and penetration tests
  • Hiring of a new Chief Information Security Officer (CISO)
  • Taken down more than 200 phishing websites since the original breach

Are you sure there is no other similar issue on your e-commerce site? Do you use other APIs?

We performed an internal audit and didn’t find any other issues. However, we continue to regularly assess this to further ensure. We regularly perform external penetration test(s) and encourage other IT security researchers to reach out to us via our bug bounty program.

How can you be sure the alleged Shopify data breach disclosed in May was a hoax?

We had access to a sample of the alleged leaked database and found that didn’t match with our database. 

How did the data breach impact Amazon orders, more specifically, billing/shipping addresses?

No information from Amazon orders (including email, billing, and shipping addresses from orders) was affected by the data breach.

Are you aware of existing phishing attacks on your clients?

Yes, and we continuously monitor the campaign on a dedicated page. Phishing campaigns are very standard in the industry, which is why we created Ledger Academy to educate our users. We conduct regular campaigns to remind our users of the dangers of phishing attacks, and to always maintain caution. We have had a brand protection team in place for 2 years to monitor and enforce such abusive content. 

Have you identified who compromised your database? Do you have any clue?

No. We filed a criminal complaint with French Public Prosecutor based on preliminary evidence outlined thanks to Orange Cyberdéfense’s independent investigative forensic report, which we have been continuously updating. Investigation is ongoing.

Do you cross my Ledger Live data with other data? (e-com, HW)

No, we do not. 

Do you share data with governments?

Ledger does not share customer information unless required to do so by Applicable Laws as described in our Privacy Policy.

Why don’t you purge your database? 

For legal reasons, we are obliged to store some transactional information relating to our customers’ contact details and their orders data.

In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements.

We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods. At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems.

If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.

We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.

Following the Shopify breach, we are changing the way we handle this data, to go above and beyond GDPR principles and take a best-in-class approach:

  1. Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.
  2. We will minimize the places your personal information is displayed.  For example, we will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our e-commerce email provider.
  3. We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
  4. We will be conducting a detailed re-assessment of all our suppliers and partners to ensure they continue to meet the highest standards.

Are the 24 words stored in the database?

No, our clients are completely and solely in control of their recovery phrase. Ledger will never request your recovery phrase. 

If you are not able to protect our e-commerce data, how could you protect and secure our funds?

This is the most accurate and legitimate question we can handle from our customers. Indeed, since the inception of Ledger, we focused on the security of our products because we knew this industry needed strong, fully monitored, and auditable security solutions to take off and we are committed to offering our customers security products that we monitor with best-in-class knowledge.

This data breach comes from a misconfigured third party API key hosted on our e-commerce webpage. It has nothing to do with our security products and their own infrastructures. This does not mean this situation is not serious. This means it does not relate to the level of security of our products.

We are extremely regretful for this incident. We take privacy very seriously, we discovered this issue thanks to our own “bug bounty” program, we fixed it immediately. But regardless of all that we did to avoid and fix this situation, we sincerely apologize for the inconvenience that this matter may cause our customers.

This situation is very stressful, what is supposed to reassure me?

We understand your concerns and we are extremely regretful for this incident. Data breaches and phishing attacks are an industry-wide problem. We continue working on this problem every single day, we take privacy and data security very seriously. As soon as we discovered this issue thanks to our own bug bounty program, we fixed it immediately and worked to inform you. But regardless of all, we did to avoid and fix this situation, we sincerely apologize for any inconvenience that this matter may cause you. However, this data breach has no link with and no impact on our hardware wallets nor Ledger Live security.

Crypto Casey does a great job of summarizing the situation and how to protect yourself in this video and podcast.  Please take all steps to keep yourself and your crypto safe. 

Your crypto assets are safe and have never been in peril. We are grateful for the trust you have put in our products. Moving forward, you can expect the highest standard of professionalism, transparency, and responsiveness from our services.

Do you know, provide or recommend an “ID theft” monitoring service?

No, we do not recommend using such a service. Instead, we recommend our clients to apply precautionary measures and beware of phishing attempts that would impersonate Ledger to request your recovery phrase. Ledger will never ask you for the 24 words of your recovery phrase, not even in Ledger Live, and Ledger will never contact you via text messages or phone call.

Should you want to improve the security of your recovery phrase we recommend you consult our best practices for advanced security measures and that you keep in mind that in case of an emergency typing 3 times the wrong PIN code will reset your device.

What are you doing to prevent a data breach from happening again?

These data breaches have challenged us deeply. Your trust is worth much more to us than your data. That is why we decided to completely change the way we handle data at Ledger, we are changing the way we handle this data, to go above and beyond GDPR principles and take a best-in-class approach:

  • Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment. For instance, we aim to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product.
  • We will minimize the places your personal information is displayed.  For example, we will be deleting the name, address, and phone number from the order confirmation emails we send to you so this data does not pass through our ecommerce email provider.
  • We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
  • We will be conducting a detailed re-assessment of all our suppliers and partners to ensure they continue to meet the highest standards.

Thefts and attacks such as this cannot go uninvestigated or unprosecuted.  For cryptocurrency to thrive there must be a price to pay for committing cryptocurrency theft.  We continue to work with law enforcement as well as private investigators on these cases, and we are adding more firepower:

  • We are hiring additional private investigation capacity, adding experience and approaches to finding those responsible for these data thefts.  We will continue to work in concert with global law enforcement to find, arrest, and prosecute those responsible wherever possible.
  • We are creating a bounty for new information, obtained legally, leading to the identification, arrest and successful prosecution of those responsible for attacks against Ledger and our customers.  Ledger has seeded a wallet with 10 BTC (address: bc1qshfl9cnyjam64m3c2jpsg23u34z7w0kkwncdsd) as the initial bounty reserve. This will be disbursed at the discretion of Ledger and will consider factors such as - has the information been obtained legally? Is it new? How substantial is the information and how far will it help progress the investigation and result in a direct ability to prosecute individual(s)? Has that prosecution been successful? More generally, it will be subject to the terms of our bounty program available here.
  • We are announcing our intention to collaborate with others in the industry on this initiative.  We are reaching out to other companies and individuals in the space about ongoing funding of this bounty program for crimes committed against the crypto community.  CEOs of other companies in the crypto space, if you would like to join us on this project, please get in touch ASAP
Was this article helpful?
443 out of 1325 found this helpful