Why Ledger Kept All That Customer Data in the First Place

First, the good news, in a manner of speaking: Ledger customers can now see firsthand whether their personal information was exposed in the hack discovered in July.

Someone posted the complete lists of 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to customers of the France-based maker of hardware cryptocurrency wallets. The latter list is a lot bigger than the number previously disclosed by Ledger (9,500).

Asked about the discrepancy, a Ledger spokesperson said: "At the time of the incident, logs from a third-party application managing our database showed 9,500 individuals were impacted. Simultaneously, we were working with an external security organization to conduct a forensic review, which also confirmed 9,500 people." In an email sent to customers later Monday, Ledger said the details in the list of 272,000 "are not available in the logs that we were able to analyse." Customers whose information was in that list will be notified by email within 24 hours, the company said.

“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously,” Ledger said in a tweet storm Sunday. “Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation.” Among other steps, Ledger has hired a new chief information security officer and taken down 170 phishing sites since the breach, it said.

There are at least three file-sharing sites, reminiscent of the golden age of MP3 blogs, where you can download the two lists. I will not post the links but it took just a few minutes searching Twitter to find them.

If you download the trove, please check for your own details, then delete it. If you keep the file, gawk at the names or gossip with friends about it, well, I’ll be very disappointed.

Several of the email addresses in the data leak match those that received phishing emails from scammers seeking to defraud CoinDesk readers.

As we reported in July, these scammers were copying legitimate CoinDesk newsletters, adding some fraudulent paragraphs and links about a crypto giveaway, and sending them to individuals who never signed up to receive CoinDesk emails to begin with.

Casa CTO Jameson Lopp suggested in November that Ledger customers may have been targeted; Sunday's data dump supports that theory.

Read more: ‘Convincing’ Phishing Attack Targets Ledger Hardware Wallet Users

Bigger picture

The bad news: O.K., it’s not news but Sunday’s data dump serves as a sobering reminder that even a maker of hardware crypto wallets can become a honeypot of sensitive data. (I'm using the term "honeypot" in the sense of "a valuable target for hackers," not "a decoy site to trap them.")

The reason is partly due to the marketing imperatives of a startup, and partly due to legal and regulatory requirements.

In an FAQ posted in July, the company said an attacker had accessed part of its marketing database through a third party’s API key that had been misconfigured on Ledger’s website.

As soon as the breach was discovered, the key was deactivated, Ledger said. But not in time to prevent the rascals from accessing the lists and, apparently, selling them to phishing artists.

Why would a third party have an API key? The FAQ goes on to explain:

Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters. … In accordance with our Privacy Policy, as a data controller, we may transmit some of your data to third parties such as payment service providers (PSPs) infrastructure, logistics, and other services providers, within applicable contractual and legal frameworks.

That covers the emails. What about all those mailing addresses, names and phone numbers? Why not purge those after shipping the goods? Back to the FAQ:

For legal reasons, we are obliged to store some transactional information relating to our customers' contact details and their orders data.

In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements.

We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods.

At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems. If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.

We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.

In other words, sometimes companies’ hands are tied and they have to hold on to the toxic waste that is customer data even if they don’t want to.

Take heart; there are ways to mitigate the risk of exposure even when ordering physical products, as CoinShares Chief Strategy Officer Meltem Demirors noted on Twitter:

Read more: Let's Be Privacy Scolds

UPDATE (Dec. 21, 16:45 UTC): Added statement from Ledger spokesperson.

UPDATE (Dec. 21, 18:40 UTC): Added quote from Ledger email to customers.