In a blog post today, hardware wallet designer Ledger returned to his customer database breach in July 2020 where two employees of the e-commerce platform Shopify were behind the hack.
on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.
Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.
The investigation into the incident involving Shopify is ongoing and we will continue to update you as the situation unfolds. As of today: We notified the French Data Protection Authority on December 26th, 2020. After completing forensics with Orange Cyberdefense we informed all customers affected by this breach via email on January 13th, 2021. We continue to work with Shopify and prosecutors on the case; an investigation is already underway, led by the FBI and the RCMP. Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s). We are continuing to work with Shopify using new internal processes to ensure enhanced security.
The Ledger hack
Ledger publicly revealed that customer information had been compromised in July 2020. At the time, the company estimated 9,500 customers had been affected by the hack. In the following months, CoinDesk documented a string of convincing phishing attempts executed by the hackers, including emails that mimicked official Ledger correspondence and text messages.