Ledger and Shopify have been hit by a class-action lawsuit over a major data breach that saw the personal data of 270,000 hard wallet customers stolen between April and June 2020.
Phishing scam victims John Chu and Edward Baton filed the lawsuit in California against the crypto wallet provider and its e-commerce partner Shopify on Tuesday.
The plaintiffs alleged that the firms “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The data was stolen when rogue employees of Shopify accessed the company’s e-commerce and marketing database for Ledger, with the hackers then selling the data on the dark web.
“Had Ledger acted responsibly during this period, much of that loss could have been avoided,” they claim.
The pair are seeking redress for the damages caused by the breach, requesting “all relief allowed by law, including injunctive relief.” Chu lost $267,000 worth of Bitcoin (BTC) and Ether (ETH), and Baton lost $75,000 worth of Stellar (XLM) in phishing scams that impersonated correspondence from the firms.
The data, spanning full names, email, phone numbers and shipping addresses, was eventually posted on the website RaidForums in late December. The lawsuit accuses Ledger in particular of failing to “individually notify every affected customer or admit to the full scope of the breach.”
“Ledger’s and Shopify’s misconduct has made targets of Ledger customers, with their identities known or available to every hacker in the world. Ledger’s persistently deficient response compounded the harm. In failing to individually notify every affected customer or admit to the full scope of the breach.”
While it has yet to be proven if the firm knew the full scope initially, it published a blog post in July 2020 stating that 9,500 users had their data leaked at the time.
Ledger fully acknowledged the data leak on Jan. 13 in a blog post that confirmed that access to its user database had been a result of the Shopify hack while announcing changes to how it stores data, communicates with customers, and it also offered a 10-BTC bounty fund for information leading to the successful arrest and prosecution of the hackers.