Ledger Reveals 3 Month Policy for Keeping Buyer Info; 2,000 New Users Affected in Data Breach
This time the information was leaked by the hardware wallet’s e-commerce provider Shopify’s rogue employees. But “these attacks have only strengthened our resolve to build and release products that keep you and your crypto safe,” says Ledger.
Hardware wallet Ledger, which is meant to “provide security to critical digital assets for consumers & institutional investors,” keeps leaking information about its customers.
After the last data breach affected 272,000 customers, yet another one has leaked the customer records of additional 20,000 Ledger customers.
On Wednesday, Ledger informed the crypto community that in an incident in the first half of 2020 (April and June), its e-commerce provider Shopify’s team members illegally exported merchants’ customer databases.
Shopify alerted Ledger about this incident on December 23rd, in which 93% of the information obtained was similar to the previous data dump, 7% of the customer records breached were new.
Reportedly, this incident affected over 200 merchants of Shopify, but the e-commerce giant didn’t discover that Ledger was also targeted in this attack until Dec. 21st, 2020.
As for why Ledger would keep the information, the company says, “our goal is to completely delete your personal data (such as your name, address, and phone number) as soon as possible.”
However, the company stores e-commerce information for “accounting and legal obligations,” in a segregated environment — “separate, dedicated, and encrypted storage inaccessible from the internet or external devices, with limited access rights” — for “as short a period of time as necessary” which is 3 months after the order is shipped.
The company has already contacted the concerned users directly to inform them about this incident.
“We are dedicated to taking action against this incident,” wrote Ledger while advising users to never share a 24-word recovery phrase.
If a user purchased a Ledger product after the end of June 2020 or outside of the Ledger.com site, their data is not exposed.
“We are deeply sorry that these incidents occurred and for any pain or stress they’ve caused our customers,” reads the official announcement in which the company says it will
“soon release a technical solution that will remove the 24 words as the single pillar of the security of our hardware wallets and will open the door to funds insurance for individual customers.”