Hack of 1 million personal data of crypto investors painfully reflects importance of privacy laws

In late July, it was announced that part of the customer database of the French company Ledger (one of the world's largest manufacturers of cryptocurrency hardware wallets) was hacked. This hack resulted in more than 1 million personal data of Ledger customers falling into the hands of hackers.

Date: August 10, 2020

Modified November 14, 2023

Written by: Joost van Dongen

Reading time: +/- 2 minutes

Part of the customer base of the French company Ledger (one of the world's largest manufacturers of cryptocurrency hardware wallets) was hacked in late July 2020. This hack resulted in more than 1 million personal data of Ledger customers falling into the hands of hackers.

While such a hack is painful for any company, the hack at Ledger leads to additional loss of face. After all, Ledger's customers are crypto investors who place extra value on security and privacy. This is because a so-called hardware wallet (a USB stick that acts as a wallet for cryptocurrencies) allows you to store and manage your cryptocurrencies securely and anonymously. The question is how secure coins on a Ledger hardware wallet still are. In this blog, I discuss the implications of the hack and address the privacy rules that are important in this regard.

What exactly happened?

On July 29, 2020, word came out that Ledger's databases were accessible to third parties. According to Ledger, a misconfigured Application Programming Interface (software that allows different programs to communicate with each other, also known as an API) allowed the hacker to gain access to part of the e-commerce and marketing databases. The leak eventually came to light with the help of research by a programmer using Ledger's bounty program. Unfortunately, the finding came too late. The moment the hacker managed to gain access through the open API connection, the hacker managed to not only capture 1 million e-mail addresses, but also steal first and last names, addresses, phone numbers and order information of nearly 10,000 customers.

As I mentioned in the introduction, a hack of this magnitude is a nightmare for any company. For Legder, the blow may come even harder, as the company is considered one of the leading producers of hardware cryptocurrency wallets. Customers choose a hardware wallet from Ledger precisely because of its security and anonymity. No one knows what cryptocurrencies you have and where they are stored. Unlike so-called software wallets, with hardware wallets the coins are not managed by third parties (online) so the risk of theft of cryptocurrencies from your wallet is much smaller. Now that the data of many customers has been stolen, hackers can see who ordered a hardware wallet, where these customers live and what their email address is. As a result, these customers have all become prey to scammers and hackers trying to capture cryptocurrencies from the investor.

Processing personal data, what about it?

Every time an organization processes personal data, it is a violation of the privacy of the people it is about. Processing personal data is only allowed if there is really no other way, or in other words, if the purpose cannot be achieved without it. The General Data Protection Regulation (AVG) provides six bases on which personal data may be processed. The rules from the AVG are of European law and therefore apply to all member states of the European Union (and thus also to the French Ledger). The bases are:

1. There is consent from the data subject.
2. It is necessary to process data in order to perform a contract.
3. It is necessary to process data because it is required by law.
4. It is necessary to process data to protect vital interests.
5. It is necessary to process data to perform a task of public interest or public authority .
6. It is necessary to process data to pursue a legitimate interest.

In the present case, the basis for Ledger to process personal data can be based, among other things, on the performance of a contract (Ledger must, after all, send the hardware wallets to its customers) and, in addition, on the basis of a legal obligation (Ledger must, among other things, keep its sales invoices for the French tax authorities).

It is important for any organization that processes personal data to include in a privacy statement what personal data is being processed and why. This fulfills the information obligation under the AVG. In addition, it is important (and in many cases mandatory) to keep in a processing register (an overview of the personal data being processed intended for internal use).

In addition to a valid basis under the AVG, a legitimate purpose is required for processing personal data. In fact, personal data may be processed based on one of the aforementioned bases, but only for a specific purpose. The AVG does not specify which purposes these are. However, the purpose must be justified. The purposes for which personal data are processed must also be included in a privacy statement and the processing register.

How long may personal data be kept?

In order to keep proper records, an organization must retain certain personal data for a period of time. Under the AVG, there is no concrete retention period for personal data. So it is up to the organizations themselves to determine how long they keep personal data. Keeping personal data indefinitely without a basis is prohibited. At some point, therefore, personal data must be destroyed if, for example, legal retention periods have expired. It is unclear whether personal data that has been closed may have already had to be destroyed by Ledger.

Personal data security

Under the AVG, organizations that use personal data must secure it in order to prevent data breaches (like Ledger) as much as possible. It is important that appropriate and organizational measures are taken:

  1. Organizations must use modern techniques to secure personal data;
  2. Organizations need to look at how they handle personal data internally. For example, who has access to what data and is it necessary?

Evidently, security was not in order at Ledger, leading to a massive data breach that put personal data in the hands of malicious parties. It is possible that Ledger acted in violation of the (French) AVG. Under the AVG, companies are obliged to report data breaches. A data leak must be reported within 72 hours to the competent authority, in the Netherlands the Personal Data Authority, and sometimes also to the people whose data has been leaked.

Do you have questions about how you process or secure personal data? Or would you like to have your privacy statement drafted or checked? Please feel free to contact Valerie Lipman or Joost van Dongen. We will be happy to help you further.

This page was last updated on Aug. 8, 2023.


Stay Focused

As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.