Shopify and TaskUS Sued Over 2020 Ledger Crypto Wallet Hack and Data Breach

According to a lawsuit filed on Monday in the District of Delaware, TaskUs Inc. and several Shopify entities failed to adequately protect consumer information in connection with a massive 2020 data breach impacting Ledger SAS cryptocurrency hardware wallets. The class action stems from the unauthorized release of several hundred thousand pieces of Ledger SAS customers’ personal information including their full names and e-mail and physical addresses.

As explained in the complaint, hackers allegedly exploited a Ledger database vulnerability through its e-commerce vendor, Shopify, and TaskUs as a third-party contractor, in order to obtain a list of Ledger’s customers ’ personally identifying information. Ledger is a company that offers cryptocurrency wallets that store the private “keys” of an individual’s crypto-assets, the filing says.

Hackers reportedly sought the information in order to engineer phishing attacks to “compel users to unlock their cryptocurrency accounts and make untraceable, irreversible transfers of cryptocurrency into these criminals’ accounts overseas and within the United States.” In addition to security failures, the plaintiffs argue that the defendants, Shopify in particular, did not meaningfully notify its customers of the breach and disclose that “rogue” employees were actually involved.

It argues that despite promises from Shopify and TaskUS about their robust security protections, they failed to protect their customers’ identities, “causing targeted attacks on thousands of customers’ crypto-assets and causing Class members to receive far less security than they thought they had purchased with their Ledger Wallets.”

The plaintiffs argue that they would not have agreed to have their data transmitted to either defendant in order to perform e-commerce support for Ledger’s operations had they known about their allegedly slipshod security measures.

The lawsuit states claims under common law and consumer-protection statutes and seeks injunctive relief, equitable relief, and damages. The plaintiff is represented by Deleeuw Law LLC and Migliaccio & Rathod LLP.

The lawsuit is not the first filed over the 2020 breach. Last April, a consumer class action took on Shopify and Ledger over their alleged security lapses. In that case, Judge Edward M. Chen granted France-based Ledger, Shopify USA, and Shopify Inc.’s motion to dismiss on personal jurisdiction grounds. The plaintiffs have since appealed.