Blog posts, Company | 02/26/2021
Data breach AMA TL;DR: Demystifying the breach with Matt Johnson, Ledger’s CISO.
SecurityEnglish | Français | Español | Deutsch
Matt Johnson, Ledger’s Chief Information and Security Officer.
Matt is a former Australian Federal Police officer, with proven experience in physical and cybersecurity, he held positions such as Group Chief Security Officer at Ingenico and Director of Cybersecurity at Visa. In the aftermath of the data breach, and a short period of time after Johnson started, Ledger has taken substantial first measures to address the situation and ensure such a hack doesn’t happen again. This AMA was his first opportunity to share with you his vision for the future and answer your questions. Here’s our TLDR version.
Before we get started
First of all, as a company, we are deeply sorry that these incidents occurred and for any pain or stress they’ve caused you. Keeping you secure is Ledger’s mission and we take these incidents extremely seriously both personally and professionally. Also part of our mission is to transparently communicate, listen to your concerns, and that is the reason why we organized this event, to provide you with answers. So for those of you who attended our AMA, we want to thank you for your presence and participation.
Focused adversaries will always try different angles to access Ledger’s data and we must continue to strengthen our security posture. This is an industry-wide problem we need to fight together, and Ledger is doubling-down on our commitment to do our part in this fight. Today, we are here to demystify and provide you, our fellow community members, with a thorough understanding of the situation.
If you want to know more about what happened, you can find a recap here.
Our action plan moving forward
Data breaches and phishing attacks are an increasingly industry-wide problem and we are doing what’s necessary to face any future threats. We continue working on this problem every single day, and today we want to share with you the beginning of our new plan that is aiming to increase the protection of our customers.
- We are announcing changes in the way Ledger will handle customer data: Our goal is to completely delete your personal data such as name, address, and phone number as soon as possible. We are challenging ourselves and third party providers to keep this data for as short a period of time as necessary to fulfill our obligations to our customers (such as fulfilling your order) and the law (such as accounting and legal obligations). Data which needs to be kept will be put in a further segregated environment as soon as practicable.
- We will implement a messaging model where proactive important security and technical information will be conveyed through Ledger Live. Email and social media will ONLY be used for broadcasting product messages and announcements.
- We will be conducting a detailed re-assessment of all our suppliers and partners to ensure that they continue to meet the highest standards.
Ledger is committing numerous additional resources to identifying and prosecuting those responsible for the attacks on Ledger and Ledger customers including a bounty fund of 10 BTC for information leading to successful arrest and prosecution. We hope other companies will join the bounty program and help make the crypto community a safer place.
You asked, we answered
1- Have my funds and/or payment info been compromised?
Throughout these attacks, Ledger hardware wallets remain uncompromised and your cryptocurrency secure so long as you never share your 24 words with anyone (especially someone pretending to be Ledger — Ledger will never ask you for this information). Moreover, Ledger does not save credit card information, so the data breach does not affect your payment details.
2- I have received phone calls/sms with physical threats, what should I do?
First of all, we apologize for this rather stressful situation, we know what you are going through, and as frightening as it may be, we urge you not to panic. Scammers usually look to maximize their gains with the least amount of possible risk, thus we have not had any reports of physical attacks. The scammers will always go after the easiest element to attack. They will try and create a sense of urgency and panic, make it time-sensitive or time-critical, play upon your fears and do everything they can to convince you to hand over your 24 words.
Please be calm, and collect the phishing attempts to file a report with your local police. Then send us your police report number. Ledger is gathering a significant amount of customers’ reports to process them and transmit them to specialized law enforcement agencies. If we are to find those responsible, we need your help. Contact us through our online contact form and as @Ledger_Support on Twitter.
3- I have not received any email from Ledger, I want to know if my data has been leaked?
The data that have been exposed are email, name, surname, phone number, product(s) ordered and delivery address. We have contacted the concerned users via email to inform them with the exact information that has been leaked in their case. If you have not received an email from Ledger, please check your spam folder. You can also contact our support team or consult the website https://haveibeenpwned.com/ where you will be able to instantly see if your data was leaked in this breach.
4- Do you sell data/information to telemarketer companies?
Absolutely not, your data has never been intentionally disclosed and Ledger has never profited from selling or sharing your data with any third party.
5- Are you using an independent third party for penetration testing? Do you offer bounties for finding bugs or weaknesses?
We actively perform penetration testing, we also have a security lab called Ledger Donjon that consistently tests our hardware devices. Since the advantage of having a hardware wallet like Ledger is to use a trusted display for verifying information, we always recommend our users to do so before manually validating any action/transaction.
Moreover, we do have an active bug bounty program. Ledger continues incentivizing the community to take part in this program to double down on our commitment towards security. More details here.
6- Will Ledger share the intel on phishing attacks with other hardware manufacturers? I heard scammers also targeted the same addresses using attacks for other devices as they know some have both?
Yes, we announced our intention to collaborate with others in the industry on this initiative. We have also reached out to other companies and individuals in the space about ongoing funding of the bounty program for crimes committed against the crypto community.
7- Will you be compensating those affected in the data breach?
We are not planning to offer compensation to people affected by the data breach. However, we are determined to spend our focus on R&D to reinforce our security. On another note, we are also spending a considerable amount of resources on investigating the data breach and current phishing campaigns so as to bring those responsible for this to justice, for the benefit of our entire ecosystem.
Looking ahead
This is a difficult time for us all. To those of you who stood by us, we thank you. And to every Ledger customer, be certain that we are working around the clock to make sure this never happens again. As the old saying goes, what doesn’t kill you makes you stronger, in other words, Ledger will come out of this to provide you with a better, stronger, and more secure experience, you have our word.
We are humbled to be part of this community, and we will keep working harder everyday to evolve and add value to the ecosystem, but most importantly to be worthy of your trust.