Global e-commerce platform Shopify and hardware wallet maker Ledger face a major legal hurdle as a group of Ledger users have filed a class-action lawsuit for its part in failing to prevent a massive data breach in 2020.
The suit was filed in the U.S. District Court of Delaware on Apr. 1 and alleges that Shopify “repeatedly and profoundly failed to protect its customers’ identities.”
Shopify and its third-party data consultant TaskUs are being held responsible by complainants for leaking personally identifiable information (PII) of Ledger buyers despite marketing promises assuring the full security of the Shopify platform.
The plaintiffs claim Shopify and TaskUs were aware of the data breach for over a week before notifying customers. They are asking for the exact type of information leaked to be disclosed by Ledger and Shopify and for a monetary reward that covers actual and punitive damages.
France-based Ledger is also included as a defendant in the case for its marketing claims promising customer security. The complaint states that Ledger “initially denied that any compromise of PII had occurred,” but later had to backtrack and refer to the leak and to Shopify in an email notification. The complaint stated:
"Despite the repeated promises and worldwide advertising campaign touting unmatched security for its customers, Ledger—and its data processing vendors, Shopify and TaskUs—repeatedly and profoundly failed to protect its customers’ identities, causing targeted attacks on thousands of customers’ crypto-assets and causing Class members to receive far less security than they thought they had purchased with their Ledger Wallets."
Hardware wallets, otherwise known as cold wallets, are physical devices that provide crypto users with added security for their private keys and seed phrases. They are marketed to be more secure than hot wallets.
As the complaint alleges, Ledger used Shopify to run its website’s online store. As a result of that relationship, Shopify had direct access to the PII of customers on Ledger’s database. Shopify uses TaskUs to provide customer support services, and therefore it also had access to Ledger’s customer data.
Hackers made off with personal information from about 272,000 Ledger users and over 1 million email subscribers to Ledger’s newsletter in 2020. A massive phishing and intimidation campaign targeting Ledger owners followed resulting in some victims losing crypto assets.
This is not the first class-action suit filed against both Ledger and Shopify regarding the data breach. In April 2021, a different group of complainants filed suit in California. That complaint made allegations similar to the recent Delaware filing that Shopify and Ledger “negligently allowed, recklessly ignored, and then intentionally sought to cover up.”
On April 2, hardware wallet maker Trezor was the subject of a phishing attack that targeted its users through the MailChimp marketing service provider. On April 3, Trezor confirmed in a tweet that there had been a data breach. The company warned users that it would stop communicating via the newsletter, and had shut down three of its domains.