Cryptocurrency hardwallet company Ledger has revealed it was part of Shopify’s 2020 data breach, which exposed data from 292,000 of its own customers.
BetaKit has learned that Ledger is one of a “small number” of Shopify merchants that were recently found to have been affected by the data breach, in addition to the “less than 200” merchants that Shopify originally identified.
On Wednesday, Ledger published a statement on its website, noting that Ledger was not known to be one of the affected Shopify merchants at the time the breach was revealed last September. According to Ledger’s statement, Shopify only discovered that Ledger was involved in the breach on December 21. Ledger was informed by Shopify of its involvement on December 23.
A Shopify spokesperson declined multiple requests to confirm the exact number of merchants that were newly discovered to be affected by the 2020 breach, referring to them only as an “additional small number.”
In September, Shopify claimed that it determined two “rogue members” of its support team were engaged in the plot to obtain the customer transactional records of specific merchants following an internal investigation. At the time, Shopify reported that “less than 200 merchants” were affected.
A Shopify spokesperson declined multiple requests to confirm the exact number of merchants that were newly discovered to be affected by the 2020 breach, referring to them only as an “additional small number.”
“As confirmed earlier, complete payment card numbers or other sensitive personal or financial information were not exposed,” the spokesperson added. “Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers.”
Ledger stated the total number of customers affected by the breach is 292,000. Ledger said data exposed in the breach included emails, names, postal addresses, products ordered, and phone numbers. Of those, 20,000 were newly identified customers unknown to have been exposed in previous attacks.
In September, Shopify said contact information such as emails, names, and addresses, as well as order details, such as products and services purchased, but did not specifically mention phone numbers. Ledger stated it worked with forensic firm Orange Cyberdefense to identify the stolen data.
“Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA,” Ledger said in a statement.
Ledger announced in its statement changes to the way it will collect and handle customer data. Some of these changes include “keeping personal data for as short a time as legally possible” and “minimizing the display of personal data in emails.”
“Merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers,” the Shopify spokesperson said.