Shopify and cryptocurrency hard wallet company Ledger have been hit with a class-action lawsuit in relation to a 2020 data breach that impacted a number of Shopify merchants.
A suit was filed in a Northern California court on April 6, by two plaintiffs, John Chu and Edward Baton. Shopify Inc., Shopify USA Inc., Ledger SAS, and Ledger Technologies Inc. are named as defendants.
The plaintiffs claim several users lost their cryptocurrency in phishing campaigns due to their personal data being leaked. The suit also alleges Shopify and Ledger “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the 2020 breach. Shopify first revealed the breach in September, and according to Ledger, Ledger was informed by Shopify of its involvement on December 23.
“Ledger’s and Shopify’s misconduct has made targets of Ledger customers, with their identities known or available to every hacker in the world,” the suit states.
Shopify revealed in September that two employees were behind a data breach that had affected some of the merchants on its platform. At the time, the company stated “less than 200 merchants” were affected.
The plaintiffs allege that the hackers involved in the breach posted Ledger’s customer list, including “email addresses and other contact information,” onto the online “black market.” The suit also claims between June and December 2020, at least one of the hackers published the acquired data online, exposing names, physical addresses, phone numbers, and order information.
In January, Ledger revealed it was part of the breach, as one of a “small number” of additional Shopify merchants that were found to have been affected by the data breach.
According to Ledger, 292,000 of its own customers were affected. Ledger said data exposed in the breach included emails, names, postal addresses, products ordered, and phone numbers.
In September, Shopify stated that two “rogue members” of its support team were engaged in the plot to obtain the customer transactional records of specific merchants following an internal investigation. Shopify said contact information such as emails, names, and addresses, as well as order details, such as products and services purchased, were affected.
Shopify declined to comment on the lawsuit to BetaKit, noting that litigation is pending. In January, a spokesperson for the company told BetaKit, “merchant trust and data security remain a top priority at Shopify, and we are committed to protecting our platform, our merchants, and their customers.”