Why Ledger Kept All That Customer Data in the First Place

Sunday’s dump of customer emails and addresses serves as a sobering reminder that even a maker of hardware crypto wallets can become a data honeypot.

By Marc HochsteinLayer 2
Dec 21, 2020 at 4:32 a.m. UTCUpdated Sep 14, 2021 at 10:46 a.m. UTC
By Marc HochsteinLayer 2
Dec 21, 2020 at 4:32 a.m. UTCUpdated Sep 14, 2021 at 10:46 a.m. UTC

First, the good news, in a manner of speaking: Ledger customers can now see firsthand whether their personal information was exposed in the hack discovered in July.

Someone posted the complete lists of 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to customers of the France-based maker of hardware cryptocurrency wallets. The latter list is a lot bigger than the number previously disclosed by Ledger (9,500). 

Asked about the discrepancy, a Ledger spokesperson said: "At the time of the incident, logs from a third-party application managing our database showed 9,500 individuals were impacted. Simultaneously, we were working with an external security organization to conduct a forensic review, which also confirmed 9,500 people." In an email sent to customers later Monday, Ledger said the details in the list of 272,000 "are not available in the logs that we were able to analyse." Customers whose information was in that list will be notified by email within 24 hours, the company said.

“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously,” Ledger said in a tweet storm Sunday. “Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation.” Among other steps, Ledger has hired a new chief information security officer and taken down 170 phishing sites since the breach, it said.

There are at least three file-sharing sites, reminiscent of the golden age of MP3 blogs, where you can download the two lists. I will not post the links but it took just a few minutes searching Twitter to find them. 

If you download the trove, please check for your own details, then delete it. If you keep the file, gawk at the names or gossip with friends about it, well, I’ll be very disappointed

Several of the email addresses in the data leak match those that received phishing emails from scammers seeking to defraud CoinDesk readers. 

As we reported in July, these scammers were copying legitimate CoinDesk newsletters, adding some fraudulent paragraphs and links about a crypto giveaway, and sending them to individuals who never signed up to receive CoinDesk emails to begin with. 

Casa CTO Jameson Lopp suggested in November that Ledger customers may have been targeted; Sunday's data dump supports that theory. 

Bigger picture

The bad news: O.K., it’s not news but Sunday’s data dump serves as a sobering reminder that even a maker of hardware crypto wallets can become a honeypot of sensitive data. (I'm using the term "honeypot" in the sense of "a valuable target for hackers," not "a decoy site to trap them.")

The reason is partly due to the marketing imperatives of a startup, and partly due to legal and regulatory requirements.

In an FAQ posted in July, the company said an attacker had accessed part of its marketing database through a third party’s API key that had been misconfigured on Ledger’s website. 

As soon as the breach was discovered, the key was deactivated, Ledger said. But not in time to prevent the rascals from accessing the lists and, apparently, selling them to phishing artists. 

Why would a third party have an API key? The FAQ goes on to explain:

Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters. … In accordance with our Privacy Policy, as a data controller, we may transmit some of your data to third parties such as payment service providers (PSPs) infrastructure, logistics, and other services providers, within applicable contractual and legal frameworks.

That covers the emails. What about all those mailing addresses, names and phone numbers? Why not purge those after shipping the goods? Back to the FAQ:

For legal reasons, we are obliged to store some transactional information relating to our customers' contact details and their orders data. 

In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements. 

We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods. 

At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems. If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations. 

We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.

In other words, sometimes companies’ hands are tied and they have to hold on to the toxic waste that is customer data even if they don’t want to. 

Take heart; there are ways to mitigate the risk of exposure even when ordering physical products, as CoinShares Chief Strategy Officer Meltem Demirors noted on Twitter

UPDATE (Dec. 21, 16:45 UTC): Added statement from Ledger spokesperson.

UPDATE (Dec. 21, 18:40 UTC): Added quote from Ledger email to customers.

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Las criptomonedas deberían cumplir con las mismas normas que las finanzas regulares, dice el G7

Los ministros de Economía y Finanzas quieren que la estabilidad financiera y los estándares de lavado de dinero entren en vigencia pronto, considerando la reciente agitación del mercado.

Los ministros de Economía y Finanzas quieren que la estabilidad financiera y los estándares de lavado de dinero entren en vigencia pronto, considerando la reciente agitación del mercado.

CoinDesk - Unknown
2
CoinDesk - Unknown
First a Hum and Then a Bang –Niagara Falls Residents Forced to Reckon With Crypto Mining

The city in New York has imposed a moratorium on new bitcoin mining operations as complaints about noise were compounded by an explosion and fire at a mining site last week.

The city in New York has imposed a moratorium on new bitcoin mining operations as complaints about noise were compounded by an explosion and fire at a mining site last week.

CoinDesk - Unknown
3
CoinDesk - Unknown
No es solo LUNA: las aplicaciones DeFi de Terra han perdido $28.000 millones

Los inversores han abandonado en gran medida el ecosistema Terra, ahora evidente en los protocolos DeFi en la blockchain, y los analistas siguen siendo escépticos sobre sus perspectivas a largo plazo.

Los inversores han abandonado en gran medida el ecosistema Terra, ahora evidente en los protocolos DeFi en la blockchain, y los analistas siguen siendo escépticos sobre sus perspectivas a largo plazo.

CoinDesk - Unknown
4
CoinDesk - Unknown
Crypto News Roundup for May 20, 2022

With bitcoin avoiding a steeper tumble and a look at what’s behind the biggest stablecoin of them all, CoinDesk’s "Markets Daily" is back with its latest news roundup.

With bitcoin avoiding a steeper tumble and a look at what’s behind the biggest stablecoin of them all, CoinDesk’s "Markets Daily" is back with its latest news roundup.

CoinDesk - Unknown