Quote
they shouldn't have allowed customer data to be made accessible through any API, either in-house or third-party.
Not defending Ledger, but every business that asks for your information flows through an API. I'm a software engineer, an API to serve customer data is industry standard. But the industry standard is to secure your API. Ledger probably had poor security hygiene practices internally, which led to this.