Matt Johnson, Ledger's new Chief Information Security Officer (CISO), had no choice but to hit the ground not just running but, well, sprinting. His first week of work entailed scrutinizing the fallout from an extensive data dump of customer information, among other areas such as data security and increased attacks that would come as a byproduct of bitcoin pumping.
In the aftermath of the largest hack in company history, and a little over a week after Johnson started, the hardware wallet company Ledger has announced its first measures to address the data breach and ensure such a hack doesn’t happen again.
These include working with blockchain analytics firm Chainalysis to hunt the hackers, offering a 10 BTC bounty for information leading to the hacker’s arrest and creating a comprehensive review of what information the company holds onto, where it’s stored and how long it’s retained.
Simultaneously, Ledger revealed that because of rogue actors at e-commerce partner Shopify, 20,000 new customer records, including emails, names, postal addresses and phone numbers, along with what products were ordered, have been exposed.
The Ledger hack
Ledger publicly revealed that customer information had been compromised in July 2020. At the time, the company estimated 9,500 customers had been affected by the hack. In the following months, CoinDesk documented a string of convincing phishing attempts executed by the hackers, including emails that mimicked official Ledger correspondence and text messages.
Then, in December 2020, a data dump “exposed 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets,” as CoinDesk reported. The number of people affected was much higher than the original estimate of 9,500.
A rash of SIM swaps were reported in the days following the data dump and some customers started getting extortion emails, including threats of violence.
In an interview last December, Ledger CEO Pascal Gauthier told CoinDesk the initial hack was, in part, a result of the company scaling so quickly, and that he and incoming CISO Matt Johnson would be announcing a new data policy and plan to further address the leaks in January.
Now, Ledger has released new information about the hack, revealing that it was likely due, in part, to rogue actors at Shopify, its e-commerce partner at the time.
Shopify’s rogue agents
On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020,” according to a blog post.
Shopify told Ledger the data breach was part of its disclosure in September 2020, which involved over 200 merchants. Until Dec. 21, 2020, though, Shopify had not “discovered that Ledger was also targeted in this attack.” Shopify told Ledger it is continuing to investigate and that the issue had been reported to law enforcement.
In conjunction with forensic firm Orange Cyberdefense, Ledger examined the 292,000 stolen data records. It found that while the database is quite similar to the personal information exposed in the previous attack, there were 20,000 new customer records compromised.
The company said it notified customers who were affected on Jan. 13.
Ledger’s data security after the hack
First and foremost, in a blog post, Ledger reiterated the company will never ask customers for their 24 recovery words, which can be used to access bitcoin and crypto wallets. They also stressed that as long as customers had not shared these words, their Ledger hardware devices were secure.
“We are announcing changes in the way Ledger will collect and handle customer data: keeping personal data for as short a time as legally possible, minimizing the display of personal data in emails, moving needed data in a further segregated environment as soon as possible, and creating a secure channel for communicating 1:1 with our customers via Ledger Live,” the authors, including new CISO Matt Johnson, wrote.
First, Ledger is changing the way it stores data. In an interview, Johnson said that while he would prefer not to have to hold user data at all, the company is legally obligated to do so for a period of time. But Ledger is looking to go beyond what privacy is required by the European Union’s General Protection Data Regulation, according to Johnson.
"By going beyond the GDPR, what we mean is not 'holding data longer than GDPR requires', but quite the opposite," said Johnson. "Our goal is to delete data such as name, address, and phone number as soon as possible, even if we would be allowed to keep them under the GDPR. Some data, however, we will need to keep to fulfill our legal obligations such as accounting or tax requirements, and this data will be further segregated to limit its access."
Delete, delete, delete
Moving forward, Ledger will delete data from its e-commerce partner as well as move customer data to a database that can’t be accessed from the internet as soon as your order is fulfilled, before deleting it as soon as they’re legally able.
The company will also be deleting names, addresses and phone numbers from confirmation emails sent to customers so that this data is not passed through third-party e-commerce email providers.
The email and social media will only be used for marketing messages and announcements, Ledger Live accounts are being set up to communicate technical and security information, seemingly to avoid instances of previous phishing scams, in which scammers encouraged Ledger users to download important security updates via genuine-looking emails.
Finally, Johnson will be doing a comprehensive review of third parties handling the data.
“I will be going through and doing an examination of every single one of our third parties that we have to share or have the transmission of the data with as part of the supply chain,” said Johnson in a Zoom call.
“We'll be going through and looking at making sure that all of their processes are appropriate and rigorous, because if we're entrusting our data to them, we need to be 100% sure that they are actually operating to the best of their capability to meet all of those minimal requirements, and preferably push them to go beyond that.”
A bitcoin bounty and law enforcement
Ledger is working with various law enforcement agencies as well as the blockchain analytics firm Chainalysis. It has even set up a bitcoin bounty for information related to those responsible for the hack.
“We're running down leads so we can actually be able to recover, if that's at all possible, stolen funds if it's landing on exchanges,” said Johnson. “We want to make sure information is all being obtained in a legal way and shared directly with law enforcement agencies.
Johnson said Ledger wants to make sure all information gathering is done legally and “above board” with the goal of prosecuting the individuals responsible.
The blog post qualified the bitcoin bounty, stating that the BTC will be disbursed at the discretion of Ledger and will take a variety of factors into consideration. In echoing Johnson’s comments, these include whether the information has been obtained legally, whether it’s new, how substantial it is and how far it would go toward furthering the investigation and successful prosecution.
The company also hopes it can collaborate with other companies and individuals in the crypto industry to fund this bounty. It envisions a general purpose bounty fund, a sort of foundation to fight scamming and phishing attacks across the industry.
“We are actively trying to do things to protect and improve that ecosystem,” said Johnson.
Protecting your bitcoin even when recovery phrase is shared
The Ledger engineering team is also developing a product that “will protect the funds of a user even if they had shared their recovery seed with an attacker.”
Jerôme De Tychey, Global Head of Client Success at Ledger, said in an email the majority of the phishing attacks rely on making the Ledger Nano owners reveal their 24-word phrase. Scammers seize on that opportune moment of panic where the owners believe their funds to be at risk. Remembering crucial safety measures at that moment is not always possible, especially when the scammers pose as Ledger support staff.
“We are acknowledging this problem and we will soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance as well,” said De Tychey in an email to CoinDesk
Moving ahead, how and when these changes are clarified and implemented will go a long way toward regaining users’ trust. But they represent a step forward for Ledger’s security in the aftermath of an extensive data breach, and just may work for the crypto community more generally. With bitcoin and other altcoins booming, the security around crypto tools and products is an iterative process.
“There are always these new avenues that people attempt to exploit,” said Johnson. “So we have to do that continual reassessment and ask what else we can do to make this even more secure than what it is today. Ledger wallets haven't been compromised, so they're going after the human elements time and time and time again. So what else can we do? What else can we do to help protect the end customer? Because these are real people.”
Updated: Jan. 13, 202 16:14 UTC: The amount of the bitcoin bounty has been changed from 5 BTC to 10 BTC.
Updated: Jan. 13, 202 16:31 UTC: More information regarding the scope of the Shopify breach was added.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.