Not defending Ledger, but every business that asks for your information flows through an API. I'm a software engineer, an API to serve customer data is industry standard. But the industry standard is to secure your API. Ledger probably had poor security hygiene practices internally, which led to this.