Ledger's Response to Data Breach Isn't Good Enough - Decentralise #62
270,000 customers' email, physical address, and phone number leaked
Full Customer Details Leaked
This week the full Ledger customer data leak was posted on Raidforums.
The data includes over 1,000,000 user emails and 270,000 physical addresses and phone numbers.
Check the data below to see if you were affected.
Scammers have already begun a new wave of phishing emails trying to trick users into handing over their private key.
Even worse, there have been multiple reports of threats of physical violence:
Ledger make great products designed to keep their users safe by storing private keys offline.
Sadly they didn’t take as much care with sensitive user data, and now over 270,000 users are at risk.
While physical violence is unlikely, users should not have to go through this experience and feel like there is now a target on their back.
Staying safe
One of the biggest risks here (aside from falling for a fake email) is SIM-swapping.
Because customer phone numbers are now public users who used these numbers for authentication could be at risk of having accounts compromised.
Hudson shared an excellent guide on protecting yourself.
Woeful Response
Ledger have repeatedly tried to down-play the scale of the breach. First it was announced that only 9,500 users had had their full information exposed. Then the fact that phone numbers had been leaked too was conveniently omitted.
Ledger CEO Pascal Gauthier spoke with Decrypt, but the tone and content was woeful and in my opinion disingenuous.
“It’s kind of ridiculous people saying they want their money back. There is nothing wrong with Ledger’s products. Their products are still secure as far as we know. The insecurity is with the humans using their products. That is a whole other problem set.”
While there may be nothing wrong with Ledger’s products, the company’s poor data management has directly compromised the privacy and peace of mind of their customers.
Given the scale of the breach and the sensitivity of the data, I’m frankly appalled by the response.
The guys at Yearn have it right:
Conclusion
While this series of events has been serious, I have appreciated some comic relief.
But humour is only going so far.
This is serious, and the response from Ledger has been inadequate. I hope they recognise how poorly they have managed this situation.
I will be avoiding the company and recommending others do the same. Trezors anyone? The only positive I can hope for is that other companies take note and move to better protect (or even better not indefinitely store) customer data.
Decentralise is sponsored by PieDAO, community-governed tokenised portfolios.