Hacker likely responsible for Ledger’s security breach in July recently dumped a large amount of data exposes the personal information of over 270,000 customers, including telephone numbers and physical addresses. The leak also included 1 million emails from Ledger wallet owners and customers who signed up for the company’s newsletter service.
Amid the furor caused by the incident, Ledger says its focus is on improving its security infrastructure rather than compensating users for any losses that may occur. Meanwhile, some affected customers are reportedly considering suing the company in the form of a class action lawsuit.
Ledger customer data leaks also provide fresh fodder for the debate against the implementation of multiple Know Your Customer compliance protocols, with critics arguing that such measures encourage targeted cyberattacks to expose critical personal information.
Over 270,000 personal account information compromised
As mentioned, the hacker allegedly responsible for violating the Ledger e-commerce database back in July dumped the personal information of thousands of affected users online. The company was blamed on social media for not providing better protection of user data and downplaying the extent of the original infringement. At the time, the manufacturer of the hardware wallet stated that only 9,500 customers were affected by the security breach.
Resolution on the difference in the reported number of affected persons, Ledger issued a statement on December 21 that the leak covered more material than it was able to analyze earlier in the year. However, the company confirmed that the customer funds were secure, adding: “This data breach has no connection or impact on our hardware wallets, the app or your funds. Your cryptocurrencies are secure. While very real and sincerely regrettable, this breach relates only to e-commerce related information. ”
In response to the incident via Twitter, Ledger CEO Pascal Gauthier noticed that the leak was a sign of the growing threat of cyber attacks. See you on What Bitcoin did podcast with Peter McCormack, Gauthier commented about the nature of the infringement and stated that it was the result of an error in the company’s e-commerce stack.
“It is an incorrect API key that was encrypted on the card client to import the database from the store that was encrypted in the wrong locations, and therefore it was encrypted where it should not have been encrypted and subjected the database to a simple attack, Explained Gauthier.
Amid the reactions to the leak, some cybersecurity experts highlighted that the incident was another indicator of a lack of encryption installation from database administrators to store user data. The Ledger CEO addressed the lack of encryption on the API keys, adding that it was an honest mistake and not a deliberate attempt to jeopardize customer security by not hash API keys.
In a comment on the leak, Ruben Merre, CEO of the manufacturer of the hardware wallet NGRAVE, noted that the incident reflects the rapid growth among crypto companies that come at the expense of security concerns. He added: “So many online platforms are being hacked, and not necessarily because of the skill of hackers. Often platforms just have poor security management, let alone implementation. ”
‘Scareware’ and other risk factors
The data leak has triggered a new round of phishing attacks as rogue actors, now armed with emails from Ledger users, try to trick wallet customers into revealing their 24-word seeding. Even before the data dump, such fake emails were a regular occurrence.
However, the exposure of telephone numbers and personal addresses potentially opens up additional risk factors for Ledger users. Some users have reported that they have tried to swap SIM attacks on their numbers with the hacker who is probably trying to compromise two-factor authentication protocols.
Crypto investors have been targets for SIM swap attacks In the past. Back in June, Richard Yuan Li was it charged with conspiracy to commit wire fraud in connection with a series of SIM swap attacks targeting more than 20 people.
Aside from phishing and SIM swap exploitation, the data leak also opens up the possibility that risk factors move beyond scareware to the area of actual physical attacks. In fact, some users affected by the incident claim to have received them threatening messages asking for payments or risk possible home invasions.
Ledger CEO has recognized the possibility of physical attacks as a result of the company’s oversight and has also assured users that their hardware wallet devices included multiple protection protocols to protect against theft of funds. Among these security measures is the use of incorrect PIN entries to format devices or another password showing a dummy account, leaving the owner’s actual funds safe from bad actors.
In addition, consensus among social media security experts is that consumers should use post office addresses or other public pickup locations instead of their actual home addresses for sensitive items like a Ledger-hard wallet. For those with compromised phone numbers, it seems that the best course of action is to get a new number and use a new email address to communicate the change to important contacts.
While affected customers continue to handle the fallout from the leak, Ledger says they are working to prevent future events. In a statement to Cointelegraph, the company stated:
“We are doing everything in our power to stop these attacks and avoid situations like this in the future. Ledger has a set of measures in place to protect our users from falling victim to phishing attacks. We’ve created a webpage that shares the anatomy of phishing attacks so users can avoid falling for them and reporting any new attacks. ”
Affected users threaten lawsuits
Some affected users began suing Ledger immediately after the reported leak. There is even a “Ledger wallet leak” subreddit on the Reddit platform where users discuss possible modalities for a class case.
With headquarters in Paris, Ledger falls under European Union law. In November, the European Parliament adopted legislative changes that allow EU customers to sue companies operating in the region within the next two years.
According to the ruling, once enacted into law, class action lawsuits can be filed against companies operating in the EU in cases involving, among other things, financial services, tourism and data protection.
Ledger’s EU customers will require a qualified consumer protection body or other recognized entity to represent the complainants. Unlike US law, however, criminal damages from EU class actions are limited to the actual losses incurred by the plaintiff class.
Apart from customers suing the company, the data leak can also constitute a breach of privacy in the eyes of European regulators, specifically under the EU General Data Protection Regulation. In such situations, the EU has the option of imposing a fine of up to 4% on its turnover.
With Ledger CEO having admitted the company anonymizing user data incorrectly, the company could actually come under the control of EU officials. Recital 26 of the GDPR mandates all companies to ensure complete removal of all information that could identify users from their cache of stored or processed data.