Because Ledger kept all customer data

Why Ledger kept all customer data - ledger wallet 1024x681Someone has posted a complete list of 1 million email addresses and 272.000 names, postal addresses and phone numbers belonging to customers of Ledger, the French manufacturer of cryptocurrency hardware wallets - here quotations in real time.

This latter list is much larger than the number previously disclosed by Ledger (9.500). Ledger has not yet commented on the matter and has renewed an apology for the violation. The company hired a new chief information security officer and eliminated 170 phishing sites from the breach, it said.

Why keep the data?

Sunday's data dump serves as a reminder that even a cryptocurrency hardware manufacturer can become a valuable sensitive data target for hackers. The reason is partly due to a startup's marketing imperatives and partly to legal and regulatory requirements.

In an FAQ published in July, Ledger claimed that a hacker had access to part of his marketing database via a third party's API key that was misconfigured on Ledger's website.

As soon as the breach was discovered, the key was deactivated, the company said. But not in time to stop hackers from accessing the lists and apparently selling them to phishing experts.

Why should a third party have an API key? The FAQ goes on to explain: “Ledger's e-commerce and marketing teams use a third-party (Iterable) solution to send and analyze transactional and marketing emails to customers who have purchased products on or have subscribed to receive our newsletters. "

How long is the data kept?

What about all the email addresses, names and phone numbers? The FAQ section continues: “For legal reasons, we are obliged to store certain transactional information relating to our customers' contact details and their order data.

In accordance with the storage limitation principle established by applicable laws, we strive to retain data for no longer than is necessary to fulfill those legitimate and legal purposes, including meeting any legal, accounting, tax or other requirements. type of compliance report.

We may store some of your personal data, with limited access, for an additional period of time when it is strictly necessary for us to comply with our legal and / or regulatory storage obligations and for applicable limitation periods.

At the end of this additional period, your remaining personal data will be permanently deleted or anonymized by our systems. We may keep certain transactional data attached to your contact details to comply with our legal, tax or accounting obligations for a maximum period of 10 years established by the applicable French laws, as well as to protect our rights (for example to enforce our claims in court) during the current French statutes of prescription. " In other words, sometimes companies have their hands tied and have to withhold customer data even if they don't want to.