Ledger, the high profile French cryptocurrency security startup, is fighting to repair its reputation with a new set of safety measures and a bounty offer following embarrassing breaches that exposed customer data.
The details of the data leaks that occurred via two third-party ecommerce partners have gradually emerged in the months since the first incident was discovered last summer. The crisis has cast a pall over what should be a jubilant moment for the company as the rise of bitcoin’s price in recent months brings more attention to cryptocurrencies and drives sales of Ledger’s signature Nano hardware wallets.
Instead, Ledger has scrambled to hire a new security team, announced new data security procedures and bet that being transparent about the issues it faces would help stem the backlash. Winning back trust will be no easy feat considering its products cater to a market of crypto fans who by nature tend to be distrustful of companies and institutions.
Ian Rogers, a tech veteran who just joined the company last month as chief experience officer, tells Sifted that he remains optimistic that the fallout will allow Ledger to mature, even if it means some painful lessons in the short-term.
“It's incredibly unfortunate because here you have this very secure product that has suffered because of insecurity elsewhere in the stack,” Rogers said. “I think on some level it's a growing pain of a small company.”
Into the breach
Paris-based Ledger was cofounded in 2014 by Eric Larchevêque, Joel Pobeda, Nicolas Bacca and Thomas France. Ledger’s Nano hardware wallets look almost like a USB key, and allow users to store their private keys for their cryptocurrency on the device. When they create their Ledger account, they receive a 24-word phrase that is their private key to access the device.
The company’s success has attracted $88m dollars in VC from firms such as Draper Esprit, FirstMark, and XAnge. As the Nano continued to win rave reviews, Ledger became a leading contender to be the kind of international digital champion for which the French ecosystem has such a hunger.
Pascal Gauthier, a former Criteo executive, took over as CEO in 2019 to drive Ledger’s expansion strategy. That seemed to be rolling along nicely when Gauthier got word on July 14 through the company’s bug bounty programme that there had been some kind of breach to its ecommerce and marketing database.
Ledger executives confirmed that 9.5k detailed customer records had been leaked and a total of 1m email addresses. By July 29, Ledger had notified affected customers as it sought to fully grasp the extent of the damage.
The weakest links
The nature of any hack is that it often takes time to fully uncover what happened, the size of the leak and who is behind it. In this case, the hackers appeared to have accessed the customer database through an API key for Iterable, which is used for Ledger’s transactional emails. It turned out that the API key had been misconfigured on Ledger’s website for almost two years.
By autumn, Ledger was still warning that customers whose data had been leaked were targets of phishing campaigns. And competitors such as Trezor were claiming publicly that their users were suffering phishing attacks based on the leaked Ledger data.
Then in December, Ledger got another jolt when it learned that a much larger subset of its customer data had been discovered online, exposing 272k users. Ledger executives assumed this was linked to the breach revealed over the summer. Still, the revelation triggered another wave of fury from customers and more bad publicity in the crypto media.
“To be very clear: this data breach has no link nor impact on our hardware wallets, the app or your funds,” Gauthier wrote in a December 21 blog post. “Your crypto assets are safe. While very truly and sincerely regrettable, this breach concerns only ecommerce related information."
However, the decision by Gauthier to not offer refunds proved controversial. Gauthier told one reporter that making refunds to 1m customers would “kill the company.” Instead, he vowed to use that money to fortify Ledger’s security, including bringing in a new chief information security officer and security team.
Yet his December blog post hinted at the potentially ominous implications of the hacks, noting that some users had “expressed concerns about potential physical attacks.” Could someone track down a Ledger user to their home and threaten them to get their cryptocurrency?
Gauthier said no one could use the leaked data to know how much was in someone’s wallet, which makes such attacks unlikely. Meanwhile, the company has been emphasising essential security steps, like writing those 24 words on a piece of paper and keeping them someplace secure, like a vault.
That didn’t comfort a Dutch user who has been tweeting about the issue from his @_Mooner666 Twitter account. In an interview with Sifted, he didn’t want his identity disclosed because he was still in fear for his physical safety.
After dabbling in crypto for a couple of years, he started to seriously invest in 2019 and bought a Ledger Nano. Since the hack, he’s been getting threatening calls and emails demanding his crypto.
“It is a really scary feeling knowing that your personal information is out on the streets in the hands of criminals,” he said. “You can never be sure if it is a serious threat or not. I wouldn’t be surprised in today’s world if some criminals would show up in front of my doorstep. Trust is a big must in this space. Ledger broke that trust.”
But wait, there’s more
Ledger’s relationship with third-party providers is fairly common in this age of startups. Cloud-based tools allow startups to quickly plugin robust third-party solutions so they can stay lean and move faster.
But in this case, the company got more bad news from ecommerce partner Shopify. It turned out that two “rogue” Shopify employees had stolen data belonging to 200 merchants. Shopify contacted Gauthier just after Ledger’s latest public disclosure in December. Much of the data overlapped with the previous breach, but it turned out another 20k customers were affected.
And so, in another blog post on January 13, Gauthier disclosed the additional information along with a broader security plan that included trying to reduce the amount of time it held customer data and offering a bounty for information that leads to the arrest of “those responsible for the attacks on Ledger and Ledger customers.”
Baptiste Robert, an independent French security researcher, noted that because Ledger’s main product is related to security, incidents like these can be a particular blow to a company’s reputation even if there is no issue with the hardware wallets. Yet the potential for such breaches should have been anticipated as part of routine threat modelling.
“It’s always the same issue, the attack surface issue,” Robert said. “When you have a company, you have to assess your threat model. And you have to consider your asset. In this case, with a company that is doing something money related, customer information is super sensitive.”
Rogers doesn’t necessarily disagree.
“I think you could say it's naive [that] this wasn't anticipated by the team that builds the website and links to ecommerce,” Rogers said. “And you would be completely justified in saying that. But it’s also part of a company that is growing incredibly quickly, and really focused on the security of all the hardware and trying to help people get access to that hardware.”
In the short-term, the company continues to rethink every aspect of how it collects and handles customer data, while still needing to balance that against the regulatory, tax, and shipping regulations. He also believes that Ledger will drastically improve its customer service experience and, most importantly, its security.
And in doing so, he hopes it will offer lessons to the broader crypto community about how to improve security and to manage a crisis.
“It's a reminder that we aren't making Pinterest,” Rogers said. “We are making a product that protects assets. So we have to have the level of security that an asset management company, like HSBC or Wells Fargo has. Not the level of security that Pinterest or Etsy would have. You learn a lot from getting knocked down.”