Ledger CEO Pascal Gauthier said today that the company will not reimburse customers who had their personal data leaked online—including those who had their home addresses revealed.
Yesterday the supposedly breached database was released publicly online. It showed that far more sensitive data had been stolen, with Ledger estimating that a portion of 270,000 users have had their names, delivery addresses and telephone numbers posted online. And yet, the firm won’t be providing any compensation.
“When you have a data breach of this magnitude for such a small company, we won’t reimburse for a million users, all the devices, that’s just not possible. It would just kill the company,” Gauthier told Decrypt, adding, “Instead we prefer to look at the future. What Ledger is doing right now is investing a lot of time and money building the next layer of security and the next products that will bring more security to our users.”
Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.
— Ledger (@Ledger) December 20, 2020
As Decrypt reported, the release of more sensitive data has resulted in upgraded phishing attacks. Before, emails were asking Ledger users to download malicious links, hoping to get their private keys to their cryptocurrencies. Now, these emails are telling Ledger’s customers that they know their name and address and are threatening to come to their houses to steal their cryptocurrency unless they pay a ransom.
“It’s just an online scam to scare you with these tactics. This is what works for attackers. To actually move to someone’s home is a very costly event.” said Gauthier.
Wouldn’t want to be a Ledger customer right now pic.twitter.com/wZoH3OwTLL
— Riku Raisanen (@rikuraisanen) December 21, 2020
But he argued that it’s unlikely that these threats are real.
“Even though it’s a possibility and we don’t deny it’s a possibility, it’s not the highest possibility that this will happen. The database has been out since June and no-one has [ever] reported any attack of this sort.”
Gauthier argued that scammers will try to spend as little money as possible and such phishing attacks enable them to easily target a high number of customers online—without the risks of attacking them in person.
Gauthier said that his customers should not move house to avoid physical attacks. He said that users should not be storing private keys in their own homes, especially when it comes to storing large amounts of cryptocurrency.
“Would you keep a million dollar in cash at home? If you have that much wealth, you shouldn’t keep it in your house,” he said. Ledger recommends that users store their private keys in a secure location where nobody else has access.
Casa CTO Jameson Lopp weighs in
He may not have been attacked at his own home, but Casa CTO Jameson Lopp knows a thing or two about personal safety. In 2017, he was SWATted at his house. Afterward, he spent a lot of time and energy moving to a place unknown and keeping his location private. He even spent $5,000 on personal detectives to see if they could track him down (they couldn’t). And as CTO of Bitcoin storage provider Casa, he knows a thing or two about security.
“[The hack] was inevitable. Fundamentally information wants to be free. This is a recurring theme that you see across any service that stores large amounts of information, especially valuable personally identifiable identification. There’s no reason to expect this kind of thing is going to slow down,” he told Decrypt.
Lopp argued that companies should try to delete such data where possible (although this is trickier in Europe with GDPR).
On the issue of the threatening phishing attacks, he said, “Most of that is going to be scareware, that is not going to be backed up by someone.”
But he said that scammers could use the attacks to select high-profile targets. Since attacking someone at home is risky, he said that attackers would do a lot of research first, checking if someone has a luxury car or house.
Lopp said, “But if it does turn into a sort of catalyst for a new wave of physical attacks, that’s gonna be a turning point. Maybe more people will finally start taking their privacy more seriously in this space.”
He added that affected customers should weigh their own situation and decide on what they should do to protect their identity.
“So, if you have a lot to lose, if the vast majority of your net worth is tied up in liquid bearer crypto assets and especially if you have them secured in a way that you’re vulnerable to physical attack, you’re vulnerable to being coerced into moving all or most of your wealth with a few clicks of a button,” he said.
He recommended that those who fit this category should consider having a greater focus on personal security, up to the point of doing what he did and starting again.
Lopp argued that Ledger’s customers shouldn’t blame the company for the hack. He said that they chose to give the company their personal addresses, when they could have used mail boxes, or even company addresses, to stay private.
“It’s kind of ridiculous people saying they want their money back. There is nothing wrong with Ledger’s products. Their products are still secure as far as we know. The insecurity is with the humans using their products. That is a whole other problem set,” he added.