A previous security breach at the e-commerce firm Shopify has exposed sensitive data belonging to customers of around 200 of its merchants.
Among those impacted are customers of the cryptocurrency hardware wallet manufacturer, Ledger. The incident is the second time Ledger customers have potentially had personal information exposed in recent memory.
Although most of the data is the same as that from Ledger’s own security breach last year, those behind the Shopify leak have secured an additional 20,000 customer records.
Another 20,000 Ledger Customers at Risk
As BeInCrypto reported last year, a massive data leak at cryptocurrency hardware manufacturer Ledger saw the personal information of around 270,000 customers stolen. In December, the data found its way onto a public online forum.
Ledger initially downplayed the breach, stating that the June incident impacted only 9,500 users. However, the public release of the data showed otherwise.
With full names, home addresses, and emails leaked, reports of phishing attempts have since emerged. Some users even reported extortion attempts involving death threats.
Already a growing trend in crypto’s bad books, Ledger disclosed yet another breach on Wednesday. In a company blog post, the firm revealed that it was among the merchants impacted by a security incident at the multinational e-commerce firm Shopify.
Recently, we shared news of a data dump. On December 23, we were alerted by our e-commerce provider Shopify about an incident in April & June ’20 where their rogue team members exported merchants’ customer databases. Ledger was included. More details: https://t.co/NHU3IbDL0a pic.twitter.com/DHQQ9arxCu
— Ledger (@Ledger) January 13, 2021
According to a post on Shopify’s website detailing the September 2020 incident, two ‘rogue members’ of the company’s support team stole transactional records from around 200 merchants.
The Shopify incident first came to light on Sept. 22, but the now-fired staff ‘illegally exported’ data in April and June. However, Ledger claims to have only learned about the leak involving its customers on Dec. 23.
Shopify is reportedly working with the FBI and other international law enforcement agencies to investigate the incident. Meanwhile, Ledger has reported the Shopify incident to the French Data Protection Authority and informed those additional users impacted earlier Wednesday.
Changes to Customer Data Storage
As part of Ledger’s more recent disclosure, the company has announced changes to the way it will handle customer data in the future. It claims it is now committed to storing personal information for the least time possible.
Additionally, the French hardware wallet manufacturer says it will delete sensitive data from order confirmation emails to avoid future information leaks via e-commerce providers. The company also says it will add a messaging protocol to Ledger Live, reducing the dependence on email communication with customers.
As well as pledging to continue working with global law enforcement, the firm announced the hiring of additional private investigators and the creation of a 10 BTC reward purse for information leading to the arrest and prosecution of those responsible.
Although repeating that the leak had not affected customers’ devices, many impacted users were understandably upset. Some stated that it is completely unacceptable for an apparent security company to leave customer data vulnerable in the first place:
Unforgivable honestly lol pic.twitter.com/niAxy29GWR
— MOON (@MoonOverlord) January 13, 2021