Beta testers’ AMA: Demystifying the data breach with Ledger’s CISO

Matt is a former Australian police officer, with proven experience in physical and cybersecurity, he held positions such as Group Chief Security Officer at Ingenico and Director of Cybersecurity at Visa.

In the aftermath of the data breach, and a short period of time after Johnson started, Ledger has taken substantial first measures to address the situation and ensure such a hack doesn’t happen again. As a company, we understand the seriousness of the circumstances and the harm that has been caused, thus, we assure you that the entire Ledger team is working extremely hard to solve these challenges. 

Focused adversaries will always try different angles to access Ledger’s data and we must continue to strengthen our security posture. This is an industry-wide problem that we need to fight together, and Ledger is doubling-down on our commitment to do our part in this fight. Today, we are here to demystify and provide you, our fellow community members, with the opportunity to Ask Matt Anything.

But first, let’s do a quick review of the situation.

What happened

While the security of Ledger products is unparalleled – Nano products are the only hardware wallets independently certified on the market –  and remain uncompromised, criminals are attacking Ledger customers with phishing attempts using different attack types. 

First, to recap the situation briefly: On July 14th, 2020 a researcher contacted us through our bounty program to inform us of a data breach on our e-commerce and marketing database. We immediately fixed the breach and launched internal investigations. Unfortunately, a malicious attacker had gained unauthorized access to our e-commerce and marketing database via a third party’s API key. We then (July 29th, 2020) notified our customers and shared the forensic information with the relevant authorities.

On December 20th, 2020 the full contents of the stolen databases were made publicly available in a forum. Once we saw these full databases, we could see that approximately 272,000 customer records including name, address and phone number were stolen in addition to the more than 1M email addresses. As soon as this was discovered we warned affected customers via email (December 21st, 2020).

On December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s.

The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. 

Throughout these attacks, Ledger hardware wallets remain uncompromised and your cryptocurrency secure SO LONG AS YOU NEVER SHARE YOUR 24 WORDS WITH ANYONE (especially someone pretending to be Ledger — Ledger will never ask you for this information).

To help you discover the kinds of phishing attacks being perpetrated, or to report a phishing attack to our team, see this page. Your participation matters.

What we did

In recent months we’ve seen high activity of phishing attacks on our customers. We have communicated heavily to warn our customers about these attacks via email, on our Website, within Ledger Live, and on Twitter, Reddit and other third-party platforms. We partnered with Webdrone, a company specialized in business intelligence and cybercrime, to identify the author(s) of phishing websites. We have an on-going program with Corsearch to shutdown phishing websites expeditiously through registrars and to date have shut down 216 sites and counting.

Our internal brand protection team has been exclusively dedicated to the phishing attacks since they started.  Corsearch is collaborating with international investigative organisations on our behalf. On December 16th, 2020 we launched a specific page sharing the anatomy of these phishing attacks to help you identify them and report any new attacks you receive. 

Moreover, we are working with Chainalysis and other organisations to track the cryptocurrency wallets used by the scammers.  If/when discovered, we will report them to law enforcement for action (for example to freeze the crypto assets should they land on exchanges). 

We continue to work with Shopify and prosecutors on the case; an investigation is already underway, led by the FBI and the RCMP.  Ledger also reported the events to the French Public Prosecutor and filed a complaint against the rogue agent(s). We are continuing to work with Shopify using new internal processes to ensure enhanced security.

Due to these incidents, Ledger has experienced an exponential increase in requests for information compared to this time last year. We apologize for any inconveniences that you may have encountered, every communication with our customers is important to us and we want to respond to every one with precise information. To accommodate to this demand we hired more resources in 2020 and are continuing to hire in 2021.

What we are doing

Data breaches and phishing attacks are becoming an increasingly perturbant industry-wide problem. And despite our past flaws we are doing what’s necessary to face any future threats. We continue working on this problem every single day, and today we want to share with you the beginning of our new plan that is aiming to increase the protection of your protection.

• We are announcing changes in the way Ledger will handle customer data: Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment.
• We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
• We will be conducting a detailed re-assessment of all our suppliers and partners to ensure that they continue to meet the highest standards.
• Ledger is committing numerous additional resources to identifying and prosecuting those responsible for the attacks on Ledger and Ledger customers including a bounty fund of 10 BTC for information leading to successful arrest and prosecution. We hope other companies will join the bounty program and help make the crypto community a safer place.

Join us  

We are deeply sorry that these incidents occurred and for any pain or stress they’ve caused you. Keeping you secure is Ledger’s mission and we take these incidents extremely seriously both personally and professionally. Also part of our mission is to transparently communicate, listen to your concerns, and provide answers.

Therefore, we invite you to a beta testers’ exclusive (the main event will be announced soon) AMA with our new CISO Matt Jonhnson on Thursday 18th of February at 6 pm, where we will be addressing the situation, sharing with you our vision for the future and answering any questions that you may have. Looking forward to your presence.