Shopify faces another lawsuit from crypto holders alleging ledger data breach

Global e-commerce platform Shopify and hardware wallet maker Ledger face a major legal hurdle as a group of Ledger users have filed a class action lawsuit over their failure to prevent a massive data breach in 2020 .

The lawsuit was filed in Delaware U.S. District Court on April 1 and alleges that Shopify has “repeatedly and fundamentally failed to protect the identity of its customers.”

Shopify and its external data consultant TaskUs are being blamed by complainants for leaking Ledger buyers’ personally identifiable information (PII), despite marketing promises to ensure the full security of the Shopify platform.

The plaintiffs allege that Shopify and TaskUs knew about the data breach for over a week before notifying customers. They are demanding that the exact nature of the leaked information be disclosed by Ledger and Shopify, and a financial reward that covers actual and punitive damages.

A class action lawsuit has been filed against Shopify and Ledger.

France-based Ledger is also included as a defendant in the case for its marketing claims promising customer safety. The complaint states that Ledger “initially denied that a PII breach had occurred,” but later had to go back and reference the leak and Shopify in an email notification. The complaint stated:

“Despite the repeated promises and global publicity campaign touting unmatched security for its customers, Ledger – and its data processing providers Shopify and TaskUs – have repeatedly and thoroughly failed to protect the identities of its customers, resulting in targeted attacks on the crypto assets from thousands of customers and result in class members receiving far less security than they thought they bought with their Ledger wallets.”

Hardware wallets, also known as cold wallets, are physical devices that offer crypto users extra security for their private keys and seed phrases. They are marketed as more secure than hot wallets.

As alleged in the complaint, Ledger used Shopify to power its website’s online store. As a result of this relationship, Shopify had direct access to customers’ PII in Ledger’s database. Shopify uses TaskUs to provide customer support services and therefore also had access to Ledger’s customer data.

Hackers made off with personal information of about 272,000 Ledger users and over 1 million email subscribers to the Ledger newsletter in 2020. A massive phishing and intimidation campaign against ledger owners followed, resulting in some victims losing crypto assets.

Related: Ledger partners with The Sandbox to promote crypto education in the Metaverse

This isn’t the first class action lawsuit filed against both Ledger and Shopify over the data breach. In April 2021, another group of complainants filed suit in California. That complaint included allegations similar to the recent Delaware filing that Shopify and Ledger “carelessly admitted, recklessly ignored, and then deliberately tried to cover up.”

On April 2, hardware wallet maker Trezor was the subject of a phishing attack that targeted its users through marketing service provider MailChimp. On April 3, Trezor confirmed in a tweet that there has been a data breach. The company warned users that it would stop communicating via the newsletter and had closed three of its domains.