Ledger and Shopify Face Class Action Lawsuit from Schneider Wallace Over Allegations of a Data Breach Cover Up 

Schneider Wallace filed on April 6th, 2021 a class action complaint against Shopify and Ledger for allegedly covering up a data breach in 2020. Plaintiffs allege Ledger and Shopify “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The complaint was filed in the Northern District of California. 

Ledger and Ledger Cryptocurrency Wallets 

Ledger produces crypto-asset and cryptocurrency hardware wallets, known as Ledger wallets, that are purported to protect private keys and assets such as cryptocurrency.  One major aspect of customers seeking protection is crypto-assets are non-reversible, if an unauthorized transaction were to occur due to someone gaining access to a cryptocurrency wallet, the transaction could not be reversed. 

As such, protection is paramount to holders of crypto-assets, and Ledger claims to provide customers with the best security for private keys. Private keys are the passwords that allows access to a crypto-asset wallet. With the growing value of crypto-assets globally, Ledger has successfully raised $88 million in funding. 

Crypto-asset vs Cryptocurrency

Crypto-asset vs Cryptocurrency 

A crypto-asset is an umbrella term covering digital assets that utilize cryptography and digital peer networking. Cryptocurrency is a type of crypto-asset, but other types of crypto-assets exist such as platform tokens, crypto-commodities, transactional tokens, non-fungible tokens (NFTs) and utility tokens. 

Ledger wallets purport to be a safe location to store cryptocurrency and other forms of crypto-assets. That is, until the alleged data breach and lack of action by Ledger to protect their customers. 

2020 Ledger Data Breach 

As crypto-assets are digital, and the transaction if taken non-reversible, a list of Ledger customers is a list of people to target for hacking or theft. As stated in the complaint: 

“Ledger’s customer list is gold. It is a list of people who have converted substantial wealth into anonymized crypto-assets that are transferrable without a trace. Using that list, hackers can manipulate or compel those owners to make untraceable and irreversible transfers of the crypto-assets into the hackers’ accounts. The stakes of security for crypto-assets are thus enormous. With anonymity, owning a Ledger wallet is a cutting-edge method of securing crypto-assets. But without anonymity, owning a Ledger device simply creates a target for attackers.” 

Ledger’s own advertising notes: “If you don’t want to get hacked, get a Ledger wallet”. Unfortunately for Plaintiffs, they allegedly received significantly less security due to Ledger’s failure to protect the identity of their customers. 

In April and June of 2020, Shopify employees are alleged to have taken data from Shopify, including Ledger’s customer list, along with email addresses and other contact information. By June 2020, Ledger’s customer list was on the black market for sale or transfer. Ledger later identified a “potential data breach on the Ledger website” without mentioning employees of their partner had taken data. 

Home Invasion Threats, Blackmail 

As alleged in the complaint, the situation became more fraught through the remainder of 2020. From June to December, hackers published the data online, revealing 270,000 names, addresses, and phone numbers. Hackers around the globe gained access to the list of Ledger users. The alleged result is those on the list became targets, causing Ledger customers to lose money, face physical threats for their assets, and lose a sense of security even within their home. In some cases, there are allegations that customers faced threats of home invasion unless they agreed to pay anonymously via cryptocurrency. 

Ledger Class Action Lawsuit 

After the customer list became public knowledge in December 2020, the Ledger CEO described the resulting targeting of its customers as a “nuisance” for them. Plaintiffs seek redress for damages from April 1, 2020 to present under common law and consumer-protection statutes and seek to do so on behalf of the class of Ledger customers affected.  In the filed complaint, the two named Plaintiffs are residents of Georgia who purchased Ledger products. 

Non-reversible Cryptocurrency Theft 

Crypto-assets exist on a blockchain, or public list of ownership of coins tied to an address. If you own an asset, there is a public address or public key where others can verify that the coins are recorded as held to that address. Another private address, or private key, is used to make transactions. The public key is similar to a bank account number, something to be shared so transactions can occur. The private key is similar to the password to your online banking account, allowing control of the account, assets, and transactions. 

The private key is the only mechanism that allows for the transfer of crypto-assets. The control of the key allows for untraceable transfers of the assets from one address or wallet to another. To safeguard crypto-assets, one must keep the private key private. 

Ledger sells hardware wallets. These wallets do not hold the crypto-assets themselves, but are used to hold the private keys that allow for control of the asset. The hardware wallet is accessed by entering a PIN. In addition to hardware wallets, Ledger provides a software product called “Ledger Live” to manage their products and allow for transactions using private keys stored on the hardware wallets. 

If the hardware wallet is not online, such as connected to an internet connected device, one mechanism for theft is physical intimidation of users.  If thieves are aware of a Ledger customer’s information, and if they can confirm using public blockchain information or public transactions of public keys to a Ledger user, they can possibly identify how much the Ledger owner has in crypto-assets. By threat or use of physical force, a Ledger user can be compelled to reveal their private key, thus turning over access to their crypto-assets for non-reversible transfer and theft. 

Phishing of Ledger Customers 

Phishing is the practice of pretending to be a legitimate person or company in order to gain access to passwords, banking information, or other private sensitive information. Common examples include emails sent to look like an email from your bank, which take you to a website that looks similar to your bank’s website. If you enter your username and password, they now possess this information to access your account. 

As users become more aware of these tactics, hackers have shifted efforts to using personal information in more targeted attacks, adding in names and other personal data to appear more legitimate. One critical piece of information is knowing whether or not your information has leaked, as you can be more aware of how to react to incoming communication. 

In June 2020, Ledger by their own admission chose to only communicate about the hacked information to 9,500 of their approximately 1m people affected. After this, phishing attacks using Ledger’s own brand name occurred, including this example from October 2020: 

The phishing attack led users to disclosing the private keys that allow access to their crypto-assets, resulting in large losses.  One Plaintiff lost approximately $280,000 in Bitcoin and Ethereum, based on current prices as of May 11, 2021. 

Class Action Lawyers 

Schneider Wallace is a leading law firm in class action on behalf of consumers who have been wronged or hurt by corporate conduct.  Schneider Wallce filed the class action against Ledger and Shopify in the Northern District of California along with Roche Freedman. 

Schneider Wallace has previously been appointed lead counsel in a New York class action against Bitfinex and Tether, regarding an allege scheme to engage in a “part-fraud, part-pump-and-dump, and part-money laundering” scheme. 

If you discover you have been harmed by a corporation’s conduct, including inaction to reduce harm after a data breach, contact the experienced consumer attorneys at Schneider Wallace.