Shopify recently reported that 20,000 other Ledger customers are among the many victims. Ledger is collaborating with the authorities and taking internal security measures.
A cybercriminal recently stole the personal information of 20,000 Ledger customers from Shopify, an e-commerce company. This figure adds to that of those victims of other security incidents that happened last year to the users of these wallets.
There are a total of 292 thousand affected customers, among which is the data leak of Shopify. This is an e-commerce service provider for Ledger and one of the leading companies in that sector worldwide.
According to the Ledger team, Shopify reported on December 23rd that a cybercriminal had also compromised their customers’ data in September 2020. It was only until December 21st when Shopify found that Ledger was also a victim of this incident. Forensic firm Orange Cyberdefense helped Ledger, which allowed the latter to determine that 292,000 of its customers were victims. The database involved is 93% similar to the leak that occurred in September. However, it has 20,000 additional profiles of its customers. Ledger said that the data includes e-mail addresses, full names, addresses, types of products that the user bought, and the customers’ phone numbers.
Creation of a Fund Reward
This situation led Ledger to create a 10 BTC reward fund and offer it to those who provide information that allows arresting the cyberattackers. These 10 BTC are equivalent to around USD 400 thousand.
The person who provides new information will receive this amount of BTC from Ledger. He or she must have obtained it legally and it must be relevant to the investigation, among other conditions. Ledger is currently providing information to the authorities so that they can arrest those responsible. They say that they had reported the information breach to the French Data Protection Authority on December 26th. Furthermore, they are working along with the FBI and the Royal Canadian Mounted Police (RCMP). They also filed a legal case with the French Public Prosecutor’s Office.
New Internal Security Procedures
One of the new security procedures that Ledger will implement is deleting the personal information of its customers as soon as possible. They said that they will do it despite the challenges that it poses for its commercial operations and its legal obligations.
Besides, the firm proposes storing sensitive information about its customers externally, three months after having delivered a product. They added that they should reduce the locations where they store this personal information.
They recommend not including personal information in purchase confirmation e-mails. In that way, e-commerce providers like Shopify itself cannot access it from sent e-mails. They will use this form of communication solely and exclusively to send announcements and advertisements.
In mid-July of last year, a cyberattack on Ledger’s marketing department had compromised the data of 1 million users. The criminal warned about the theft in September and triggered a campaign of phishing attacks against Ledger users the following month. In December, the data of a group of more than 300,000 customers appeared on the dark web. They became the targets of cyberattackers’ greed and threats, which forced users to take the best security measures.
By Alexander Salazar