Ledger seems to have a hard time comunicating the facts properly. First, I believe that around July 2020, they informed that a data leak took place, involving 1M emails and personal contact data for 9.500 customers. By December 2020, the leak involved 272.000 customers as we know, essentially after the DB was made available on Raidforum.
These days, they’re sending out yet another Security Notice, referencing a breach on Shopify, their e-commerce partner (when purchasing on their official site, I believe the ecommerce part goes through shopify’s platform). Judging by the dates they mention in their most recent notice, Shopify was not aware that Ledger’s data has been leaded on their platform by some rouge agents until the 21/12/2020, which is the date on which the prior Security Notice was released after the Raidforum business. Nevertheless, they informed Ledger on the 23/12/2020, which does not add-up properly with the second Security Notice released around the 21/12/2020.
That would lead me to believe (dubiously) that they are talking about the same incident, albeit trying to discharge responsibility on Shopify, but they do not bind the two Security Notices together, indicating that they are referencing the same incident, providing further information in this case (or confusion).
Either I can’t interpret their intent, or they are messing-up with they way they communicate. If they are on about the same incident, make it explicit. If not, make it explicit too. I want to believe that they are on about the same incident, and that we’re not talking about two, which would seem berserk.
One has to wonder though exactly who has the customer data: Ledger, Shopify, or both. It it’s both, then this should also be known and explicit (I haven’t managed to find this on their site). Any (weak) data policy on one side is void if not carried out by the whole chain of value.
Dear client,
On December 23, 2020, Shopify, our e-commerce service provider, informed Ledger of an incident involving merchant data. Rogue agent(s) of their customer support team obtained Ledger customer transactional records in April and June 2020. This is related to the incident reported by Shopify in September 2020, which concerns more than 200 merchants, but until December 21, 2020, Shopify had not identified this affected Ledger as well.
We were able to examine the stolen data together with a third party forensic firm to identify the impacted customers.
We regret to inform you that you are part of the customers whose detailed personal information was stolen by Shopify rogue agent(s). Specifically, your name and surname, detail of product(s) ordered, phone number and your postal address were exposed.
We notified the French Data Protection Authority on December 26, 2020. We are continuing to work with Shopify and law enforcement on the case; an investigation is already underway, led by the FBI and the RCMP. Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s).
Thefts and attacks such as this cannot go uninvestigated or unprosecuted. We continue to work with law enforcement as well as private investigators on these cases, and we are adding more firepower by hiring additional private investigation capacity, adding experience and approaches to finding those responsible for these data thefts.
FINALLY, keeping you secure is our reason for existing. We will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance.
If you would like more detail on the many steps we are taking to prevent such incidents in the future, please read this blog post.
Sincerely,
Pascal Gauthier
Ledger CEO
I guess this renders a prior (may 2020) notice on the Shopify/Ledger incident void … :
https://www.ledger.com/our-ecommerce-database-has-not-been-hacked).
Maybe I’m getting something wrong, but it does not seem like they communicate effectively …
Edit:It's seemingly yet another leak...:Bad news from Ledger (again).
Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.
Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.
If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new
winners who will start receiving phishing messages and be at risk of physical assault.
A map to incompetence: