Ledger seems to have a hard time comunicating the facts properly. First, I believe that around July 2020, they informed that a data leak took place, involving 1M emails and personal contact data for 9.500 customers. By December 2020, the leak involved 272.000 customers as we know, essentially after the DB was made available on Raidforum.
These days, they’re sending out yet another Security Notice, referencing a breach on Shopify, their e-commerce partner (when purchasing on their official site, I believe the ecommerce part goes through shopify’s platform). Judging by the dates they mention in their most recent notice, Shopify was not aware that Ledger’s data has been leaded on their platform by some rouge agents until the 21/12/2020, which is the date on which the prior Security Notice was released after the Raidforum business. Nevertheless, they informed Ledger on the 23/12/2020, which does not add-up properly with the second Security Notice released around the 21/12/2020.
That would lead me to believe (dubiously) that they are talking about the same incident, albeit trying to discharge responsibility on Shopify, but they do not bind the two Security Notices together, indicating that they are referencing the same incident, providing further information in this case (or confusion).
Either I can’t interpret their intent, or they are messing-up with they way they communicate. If they are on about the same incident, make it explicit. If not, make it explicit too. I want to believe that they are on about the same incident, and that we’re not talking about two, which would seem berserk.
One has to wonder though exactly who has the customer data: Ledger, Shopify, or both. It it’s both, then this should also be known and explicit (I haven’t managed to find this on their site). Any (weak) data policy on one side is void if not carried out by the whole chain of value.
Bad news from Ledger (again).
Now, we have new information to share: on December 23rd, 2020 we received a notification from our e-commerce service provider, Shopify, regarding an incident involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported customer transactional records in April and June 2020. According to Shopify, this is related to the incident reported September 2020, which concerns more than 200 merchants, but until December 21st, 2020, Shopify had not discovered that Ledger was also targeted in this attack. Shopify tells us they engaged digital forensics experts and counsel to continue their investigation on the matter and have reported the matter to law enforcement in both Canada and the USA.
Along with forensic firm Orange Cyberdefense we were able to establish that it affects approximately 292,000 customers. While the database is 93% similar to those exposed in the previous attack there were approximately 20,000 new customer records including, email, name, postal address, product(s) ordered and phone number included in this breach.
If you’re among those who slipped through for the first time, check your emails because Ledger has sent a notification to all new
winners who will start receiving phishing messages and be at risk of physical assault.
A map to incompetence: