Shopify and Ledger Named in a New Class-Action Lawsuit Following Data Breach
Shopify and Cryptocurrency Hard Wallet Company Ledger Are Facing a Class-action Lawsuit Following the 2020 Data Breach That Impacted a Number of Shopify Merchants.
On the 6th of April two plaintiffs, John Chu and Edward Baton, filed a lawsuit against Shopify Inc., Shopify USA Inc., Ledger SAS, and Ledger Technologies Inc., with the plaintiffs claiming that several users lost their cryptocurrency in phishing campaigns due to their personal data being leaked in a data breach that took place in 2020.
The suit is saying that Shopify and Ledger “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the 2020 breach, that Shopify revealed in September, and according to Ledger, Ledger was informed by Shopify of its involvement on December 23.
“Ledger’s and Shopify’s misconduct has made targets of Ledger customers, with their identities known or available to every hacker in the world,” the suit states.
Shopify declared in September last year that two employees were the perpetrators behind the data breach that had affected a few merchants on its platform, at the time saying that less than 200 merchants were affected.
Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants.
Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.
This incident was not the result of a technical vulnerability in our platform, and the vast majority of merchants using Shopify are not affected. However, those whose stores were illegitimately accessed may have had customer data exposed. This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.
Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.
To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.
The plaintiffs allege that the hackers involved in the breach posted Ledger’s customer list, which included email addresses and other contact information, onto the online “black market”, and also the fact that between June and December 2020, the hackers published the acquired data online, exposing names, physical addresses, phone numbers, and order information.
Ledger revealed in January that it was part of the breach, as one of a small number of additional Shopify merchants that were found to have been affected by the data breach, and that 292,000 of its own customers were affected, saying that the exposed data in the breach included emails, names, postal addresses, products ordered, and phone numbers.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Shopify declared that two members of its support team were the ones engaged in the plot to obtain the customer transactional records of specific merchants following an internal investigation.