The global e-commerce platform Shopify and e-wallet maker Ledger are facing a significant legal hurdle: A group of Ledger users have filed a class action lawsuit over their failure to prevent a massive data breach in 2020.
The lawsuit was filed in the US District Court of Delaware on April 1 and alleges that Shopify “repeatedly and profoundly failed to protect the identities of its customers.”
The plaintiffs hold Shopify and its third-party data consultant TaskUs responsible for leaking Ledger buyers’ personally identifiable information (PII), despite marketing promises that ensured the total security of the Shopify platform.
The plaintiffs claim that Shopify and TaskUs were aware of the data breach for more than a week before notifying customers. They ask that Ledger and Shopify disclose the exact type of information leaked and a monetary award covering actual and punitive damages.
France-based Ledger is also listed as a defendant in the case for its marketing claims promising customer safety. The suit claims that Ledger “initially denied that a personal information compromise had occurred,” but later had to retract and mention the breach and Shopify in an email notification.. The complaint reads:
“Despite repeated promises and a global advertising campaign touting unmatched security for its customers, Ledger – and its data processing providers, Shopify and TaskUs – have repeatedly and profoundly failed to protect their customers’ identities, causing targeted attacks on the crypto assets of thousands of customers and causing the members of the lawsuit to receive far less security than they thought they purchased with their Ledger Wallets.”
Hardware wallets, also known as cold wallets, are physical devices that provide crypto users with additional security for their private keys and seed phrases.. They are marketed as more secure than hot wallets.
As alleged in the lawsuit, Ledger used Shopify to run its website’s online store. As a result of that relationship, Shopify had direct access to customers’ PII in Ledger’s database. Shopify uses TaskUs to provide customer support services, and thus also had access to Ledger’s customer data.
Hackers seized the personal information of some 272,000 Ledger users and over a million Ledger newsletter subscribers in 2020. This was followed by a massive phishing and intimidation campaign targeting Ledger ownerscausing some victims to lose crypto assets.
This is not the first class action lawsuit filed against Ledger and Shopify in relation to the data breach. In April 2021, a lawsuit was filed in California by a different group of whistleblowers. That complaint made similar allegations to the recent Delaware filing that Shopify and Ledger “negligently allowed, recklessly ignored, and then intentionally tried to cover up the situation to occur.”
On April 2, e-wallet manufacturer Trezor was the target of a phishing attack targeting its users via marketing service provider MailChimp. On April 3, Trezor confirmed in a Tweet that a data breach had occurred. The company warned users that it would stop communicating through the newsletter and that it had closed three of its domains.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.