On Sunday an unknown hacker claimed that he was in possession of leaked databases from Ledger, Trezor and Keepkey’s ecommerce platforms.
After a thorough investigation from our data and security team and based on the information at hand, we can confirm this leak doesn’t match our database.
Therefore, we trust our client’s data is not prone to be used for phishing attacks, scams or any other attacks. To sum up, and after multiple discussions with other industry players and partners, it is our conviction that this is merely an attempt at spoiling Ledger’s reputation and is nothing but a hoax.
Several clues led us to such conclusion:
- The hacker claims he hacked Ledger clients’ database through a Shopify exploit in 2016. While Ledger currently uses Shopify as a third party provider for its ecommerce operation, this was not the case back in 2016.
- The content and structure of the leaked data does not match Ledger’s.
- Shopify couldn’t find any trace of malicious attacks, nor suspicious activity in its ecommerce systems.
- We exchanged with Under The Breach, who couldn’t confirm the authenticity of the stolen database.
We think this situation is a great opportunity to reiterate the importance we place on the security of your data and to describe the way we manage it at Ledger.
Ledger puts security at the core of all its activities. Our world class security team (the Donjon) works daily to improve security in the whole ecosystem, always keeping user’s security and privacy at the forefront.
Because privacy is an integral part of the Ledger security model, the Donjon works on a daily basis in close collaboration with our in-house privacy team as part of our ambitious data protection program.
As a European business, Ledger abides by the EU General Data Protection Regulation (GDPR) which is renowned to be one of, if not the strictest data protection regulation in the world to date.
Beyond regulations, at Ledger, privacy is embedded in our philosophy and culture. This transpires in our privacy by design approach and the fact that users of our products, such as the hardware wallets or Ledger Live, are not required to create login. This also means we strive at developing and enforcing robust processes to ensure the confidentiality and integrity of your data. In doing so, we’ve put a strong focus on the following best practices:
- Minimization: we only process the data we need and keep it for only the duration mandated by law.
- We embedded privacy in our company culture from the onset and we provide regular staff training regarding privacy and confidentiality.
- Transparent policies: privacy policies that you can actually read through, a dedicated team to answer your questions, concerns and enforcing your data subject rights.