on the crypto
In the aftermath of the largest attack in the company's history, and just over a week after the hiring of Ledger's new Chief Information Security Officer (CISO) Matt Johnson, hardware wallet company Ledger announced its first steps to address the data breach and ensure that the attack does not happen again.
These include working with blockchain analytics firm Chainalysis to hunt down hackers, with a 10 BTC bounty. quotation in real time) for the information that will lead to the hacker's arrest and a complete review of what information the company keeps, where it is stored and how long it is held.
Ledger's hack
Ledger publicly revealed that some customer information was compromised in July 2020. At the time, the company estimated that 9.500 customers had been affected by the hack. In December 2020, a data dump "exposed 1 million email addresses and 272.000 names, postal addresses and phone numbers belonging to people who had ordered Ledger's devices."
The number of people affected was much higher than the original estimate of 9.500. Now, Ledger has released new information about the hack, revealing that it was likely due, in part, to bad guys active on Shopify, its e-commerce partner at the time.
Shopify infiltrators
On December 23, 2020, Ledger was informed by Shopify of an incident where "some unauthorized members of their support team obtained customer transaction logs, including Ledger's between April and June 2020".
Until December 21, 2020, however, Shopify had not "found that Ledger was also targeted in this attack." Shopify told Ledger that it is continuing to investigate and that the problem had been reported to law enforcement. In collaboration with the forensic firm Orange Cyberdefense, Ledger examined the stolen 292.000 data. The company said it informed customers that they were hit on Jan.13.
Ledger's data security after the hack
In a Twitter post, Ledger reiterated that the company will never ask customers for the 24 recovery words that can be used to access bitcoin and cryptocurrencies. They also pointed out that until customers shared these words, their Ledger hardware devices were safe.
According to Johnson, Ledger is trying to go beyond the privacy required by the European Union's General Data Protection Regulation. Ledger will delete data from its e-commerce partner and move customer data to a database that cannot be accessed from the Internet as soon as the order is fulfilled, before it is legally possible to delete it.
The company will also delete names, addresses and telephone numbers from confirmation emails sent to customers so that this data is not transmitted via third party e-commerce email providers. Ledger's engineering team is also developing a product that "will protect a user's funds even if they shared the recovery seed with an attacker."
