Class action lawsuit filed against crypto wallet firm Ledger, Shopify over 2020 customer data breach

Quick Take

  • A new class action takes aim at crypto wallet operator Ledger and e-commerce giant Shopify over a customer data breach. 
  • Hundreds of thousands of Ledger customers saw their personal data exposed at the hands of a “rogue Shopify employee.”
  • The degree to which Ledger and Shopify communicated with customers about the ongoing breach and their respective responsibility for phishing victims that resulted are likely to be critical points of the case. 

Ledger and Shopify, which handles the online sales of Ledger's wallets, have been hit with a class action over last year's data breach.

Ledger produces some of the most popular cold wallets on the market.

The summer of 2020 saw news spread of phishing attacks against Ledger users, with the firm ultimately disclosing that it suffered a data breach that June during which customer contact and order information was compromised. In December, a database containing the personal information for more than a quarter-million Ledger customers was posted online. 

Ledger and Shopify eventually identified a rogue Shopify employee as responsible for the leak, but not before some users reported threats of home invasion and other scareware tactics. At the time, Ledger CEO Pascal Gauthier took to Twitter to reassure users that their hardware wallets had not been compromised and that their funds were safe. Nonetheless, talk of starting a class-action case began soon after.

The lawsuit, the first to be filed in response to the information leak, comes from law firm Roche Freedman, which filed the complaint in a San Francisco court on April 6. The firm is known for its class actions against crypto firms such as Binance, Tron and iFinex, the parent company of Tether and Bitfinex. Last week, Roche Freedman filed a lawsuit on behalf of a customer of Nexo, as reported by Law360

Regarding the Ledger breach, law firm partner Kyle Roche told The Block, "We've been investigating this since the day it became public. This investigation included speaking with experts in the data security and cryptocurrency fields."

In a statement, Ledger general counsel Antoine Thibault said: "Ledger does not comment on ongoing legal issues. Ledger would however like to take this moment to remind our customers, yet again, never to divulge their 24 words and validate the identity of the recipient of your transactions. You are in sole and total control of access to your funds."

The case will hinge on the question of who is responsible for what. Ledger's wallets themselves were not compromised, but the complaint includes the security of Shopify's service as part of Ledger's duty to clients. As noted in the complaint: "[b]y operating in the crypto-asset security space, Ledger places itself between user’s funds and would-be hackers. The anonymity of its customer list is a key and obvious element of the security that Ledger offers." 

Central to delegating responsibility will be the question of what Ledger and Shopify knew and how quickly they communicated that information to users. As Roche told The Block: "The case is noteworthy because two very large and sophisticated companies handling sensitive information will need to explain why it took them so long to warn their customers about such an awful and highly damaging incident."

The current complaint does not specify the amount of relief that it seeks for the class, but it does identify the "[m]atter in controversy" as worth over $5 million. Currently, the complaint references only two Ledger users directly, who together lost 4.2 BTC, 11 ETH and 150,000 XLM to phishing attacks. At today's prices, those holdings add up to $340,000, but were worth significantly less as of the time of the attacks. 

A copy of the complaint can be found below:

Ledger Shopify Complaint by MichaelPatrickMcSweeney on Scribd


© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Kollen Post is a senior reporter at The Block, covering all things policy and geopolitics from Washington, DC. That includes legislation and regulation, securities law and money laundering, cyber warfare, corruption, CBDCs, and blockchain’s role in the developing world. He speaks Russian and Arabic. You can send him leads at [email protected].