Ledger says it will not compensate users after important customer data was hacked

Ledger CEO Pascal Gauthier said today that the company will not compensate customers whose personal data was leaked on a hacked website, including those whose home addresses were compromised.

The hacked website showed that more sensitive data was stolen, with some of Ledger's estimated 270,000 users posting their names, shipping addresses and phone numbers online. However, the company will not offer any compensation.

“If the company was so small, we wouldn’t be able to compensate the equivalent amount for a million users and all the devices, that would simply be impossible. Pascal Gauthier told the media: “It would only kill the company. Instead, we prefer to focus on the future. What Ledger is doing now is investing a lot of time and money to build the next layer of security and the next product that will bring more security to our users.”

Today we were alerted to a dump of the contents of a Ledger customer database on Raidforum. We are still confirming this, but early indications are that this may indeed be the contents of our e-commerce database from June 2020.

— Ledger (@Ledger) December 20, 2020

As reported by the media, the release of more sensitive data has led to an escalation in phishing attacks. Previously, emails asked Ledger users to download malicious links in the hope of obtaining their cryptocurrency through private keys. Now, these emails tell Ledger customers that they know their names and addresses and threaten to come to their homes to steal their cryptocurrency unless they pay a ransom.

“It’s just an online scam to scare you with these tactics. This is what works for attackers. Actually moving to someone’s home is a very expensive thing to do,” said Pascal Gauthier.

But he believes the threats are unlikely to be real.

"Even if it is a possibility, and we don't deny it is a possibility, it is not the highest probability that it happened. The database has been out since June, and no one has reported this attack."

Gauthier argued that scammers will try to take as little money as possible, and this type of phishing attack allows them to easily target large numbers of customers as online clients without the risk of confronting them with their attacks.

Gauthier said his clients don’t have to move to avoid physical attacks. He said users shouldn’t store private keys in their homes, especially if they’re storing large amounts of cryptocurrency.

"Would you keep a million dollars in cash in your home? If you had that much wealth, you shouldn't keep it in your home," he said. Ledger recommends that users store their private keys in a secure location that no one else can access.

Image: Shutterstock

Bitcoin custodian Casa CTO Jameson Lopp is involved

He may not have been attacked in his own home, but Casa CTO Jameson Lopp knows a thing or two about personal security. In 2017, he was busted by SWAT officers in his home. Afterward, he put a lot of time and effort into going to an unknown location and keeping his location secret. He even spent $5,000 on private investigators to see if they could track him down (they couldn’t). As the CTO of bitcoin escrow service Casa, he knows a thing or two about security.

"Hacking is inevitable. Fundamentally, information is free. You'll see this recurring problem across all services that store large amounts of information, especially valuable personal identifiers. There's no reason to expect this to slow down," he told the outlet.

Lopp believes that companies should, whenever possible, delete threatening emails owners receive about bitcoin ransoms (although that’s tricky in Europe, where GDPR has been adopted).

On the issue of threatening phishing attacks, he said: "Most of these will be scareware and no one will be scared."

But he said scammers can use these attacks to choose high-profile targets. Because attacking someone in their home is risky, he said attackers do a lot of research first, checking to see if someone has a luxury car or home to identify who to attack.