Two Georgia residents have filed suit against Ledger SAS, Ledger Technologies Inc., Shopify (USA) Inc., and Shopify Inc., accusing the companies of mishandling a massive data breach that caused customers to lose money, face threats of physical violence, and feel vulnerable in their homes. The Northern District of California class-action complaint contended that the defendants negligently allowed, recklessly ignored, and intentionally tried to cover up the breach.
The plaintiffs explained that Ledger, “one of the market leaders for crypto-asset security,” sells solutions to consumers to help keep their crypto-assets safe. Its main product is a “hardware wallet,” a physical item similar to a USB drive that consumers use to access crypto assets, the complaint stated. Reportedly, Ledger sells its products through a number of distributors and also directly to consumers through its own website, which Shopify powers.
In mid-2020, two rogue Shopify employees accessed purchaser data, including the names and contact information of people who purchased Ledger hardware wallets. By June 2020, the filing claimed, Ledger’s customer register, a list of individuals who have “converted substantial wealth into anonymized crypto-assets that are transferrable without a trace,” made its way onto the internet’s black market.
Reportedly, circumstances worsened over the next few months as some hackers threatened to enter the homes of and attack Ledger customers unless they made untraceable ransom payments. In the face of the breach, Ledger purportedly did little. Finally, the complaint alleged, in December 2020, its CEO made a statement regretting the situation and acknowledging that phishing emails and text messages sent to some victims were a nuisance.
The plaintiffs argued that “customers would not have purchased Ledger wallets at all, or would not have paid as much as they did for Ledger wallets, had they known of Ledger’s lax security practices and unwillingness to promptly and completely disclose data breaches.”
In turn, the plaintiffs are requesting the certification of several classes and subclasses of Ledger customers and are seeking redress under state common law and California and Georgia consumer-protection statutes.