`
`Todd M. Schneider (SBN 158253)
`Jason H. Kim (SBN 220279)
`Matthew S. Weiler (SBN 236052)
`Kyle G. Bates (SBN 299114)
`SCHNEIDER WALLACE
`COTTRELL KONECKY LLP
`2000 Powell Street, Suite 1400
`Emeryville, California 94608
`Telephone: (415) 421-7100
`Email: tschneider@schneiderwallace.com
`Email: jkim@schneiderwallace.com
`Email: mweiler@schneiderwallace.com
`Email: kbates@schneiderwallace.com
`
`
`
`Kyle W. Roche (pro hac vice application
`forthcoming)
`Richard Cipolla (pro hac vice application
`forthcoming)
`Jolie Huang (pro hac vice application
`forthcoming)
`ROCHE FREEDMAN LLP
`99 Park Avenue, 19th Floor
`New York, NY 10016
`Telephone: (646) 970-7509
`Email: kyle@rcfllp.com
`Email: rcipolla@rcfllp.com
`Email: jhuang@rcfllp.com
`
`(pro
`Velvel Freedman
`application forthcoming)
`Constantine P. Economides (pro hac vice
`application forthcoming)
`ROCHE FREEDMAN LLP
`200 South Biscayne Boulevard
`Miami, FL 33131
`Telephone: (305) 971-5943
`Email: vel@rcfllp.com
`Email: ceconomides@rcfllp.com
`
`Counsel for Plaintiffs
`
`vice
`
`hac
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`
`
`
`JOHN CHU and EDWARD BATON, Individually
`and on Behalf of All Others Similarly Situated,
`
`
`Plaintiffs,
`
`
`v.
`
`LEDGER SAS, LEDGER TECHNOLOGIES INC.,
`SHOPIFY (USA) INC., and SHOPIFY INC.,
`
`Defendants.
`
`
`
`
`
`
`No. ______________
`
`COMPLAINT
`
`CLASS ACTION
`
`DEMAND FOR JURY TRIAL
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 2 of 43
`
`
`
`Individually and on behalf of all others similarly situated, Plaintiffs John Chu (“Chu”) and
`Edward Baton (“Baton”), (collectively, “Plaintiffs”), bring this Action against Defendants Ledger
`SAS and Ledger Technologies Inc. (“Ledger Technologies”), (collectively, “Ledger”) and
`Defendants Shopify Inc., and Shopify (USA) Inc. (“collectively, “Shopify”). Plaintiffs’ allegations
`are based upon personal knowledge as to themselves and their own acts, and upon information and
`belief as to all other matters based on the investigation conducted by and through Plaintiffs’
`attorneys. Plaintiffs believe that substantial additional evidentiary support will exist for the
`allegations set forth herein, after a reasonable opportunity for discovery.
`I.
`INTRODUCTION
`“We know security means never standing still.”
`-Ledger.
`
`1.
`Plaintiffs seek redress for the substantial, Class-wide damages that Ledger’s and
`Shopify’s misconduct caused in connection with a massive 2020 data breach that those companies
`negligently allowed, recklessly ignored, and then intentionally sought to cover up.
`2.
`With Shopify assisting as its e-commerce vendor, Ledger purports to provide “the
`highest level of security for crypto assets.” Its primary products are hardware wallets (“Ledger
`wallets”) that store the “private keys” of an individual’s crypto-assets. These private keys are akin
`to a bank-account password in that access to the private keys allows an individual to transfer one’s
`crypto-assets. But unlike a bank-account transaction, crypto-asset transactions are non-reversible:
`whoever gains access to the private keys associated with a crypto-asset can then transfer or spend
`that asset with impunity. Ledger purports to provide owners of crypto-assets with the best security
`to protect private keys from hackers and other bad actors.
`3.
`Ledger thus knows that anonymity is necessary to protect against hacking attempts.
`Crypto-asset transactions are publicly visible on the underlying blockchain, but nefarious actors
`cannot identify the owner of particular crypto-assets based solely on public information. Without
`personally identifying information, hackers face an immense obstacle to targeting an individual’s
`crypto-assets. Conversely, when a hacker knows the identity of a crypto-asset owner, the hacker can
`construct a workable attack catered to a target.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`2
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 3 of 43
`
`
`
`4.
`Consequently, to the world of hackers, Ledger’s customer list is gold. It is a list of
`people who have converted substantial wealth into anonymized crypto-assets that are transferrable
`without a trace. Using that list, hackers can manipulate or compel those owners to make untraceable
`and irreversible transfers of the crypto-assets into the hackers’ accounts. The stakes of security for
`crypto-assets are thus enormous. With anonymity, owning a Ledger wallet is a cutting-edge method
`of securing crypto-assets. But without anonymity, owning a Ledger device simply creates a target
`for attackers.
`5.
`Ledger understands these realities and purports to account for them. As Ledger
`claims in its advertising: “If you don’t want to get hacked, get a Ledger wallet.” Over the past year,
`however, Ledger repeatedly and profoundly failed to protect its customers’ identities, causing
`targeted attacks on thousands of its customers’ crypto-assets and causing Class members to receive
`far less security than they thought they purchased when they purchased a Ledger wallet.
`6.
`In mid-2020, between April and June, hackers found and exploited a database
`vulnerability at Ledger and its e-commerce vendor, Shopify, to obtain a list of Ledger’s customers,
`as well as email addresses and other contact information. By June 2020, Ledger’s customer list had
`made its way onto the internet’s black market, making Ledger wallet owners vulnerable.
`7.
`The circumstances grew much worse over the next six months. From June 2020
`through December 2020, at least one of the hackers who had acquired the data published it online,
`providing over 270,000 names, physical addresses, phone numbers, and order information to every
`hacker in the world. As a direct result, the attacks on Ledger’s customers grew exponentially, with
`customers losing money, facing threats of physical violence, and even feeling vulnerable in their
`own homes. Indeed, using the customer shipping addresses that Ledger and Shopify had failed to
`protect, hackers threatened to enter the homes of and attack Ledger customers unless those
`customers made untraceable ransom payments.
`8.
`In the face of these obviously emergent circumstances, rather than acting to protect
`its customers, Ledger stood still. It did not even inform its customers of the breach. Instead, it
`initially denied that any breach had occurred and continued to claim its products provided the best
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`3
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 4 of 43
`
`
`
`possible protection for crypto-assets. As the customer list began to spread on the dark web, Ledger
`admitted the existence of the breach but nevertheless disputed its publicly-reported scope.
`9.
`By December 21, 2020, however, Ledger could no longer cover up the data breach.
`On that day, the hacked customer list was posted publicly and became widely available. In a message
`posted on its website from its CEO, Ledger admitted to the scope of the attack, stating that the
`company “very deeply regret[s] this situation.” Ledger’s CEO further acknowledged that, as a result
`of the hack, “many [Ledger customers] have been targeted by e-mail and SMS phishing campaigns
`and that it’s clearly a nuisance.”
`10.
`Ledger’s and Shopify’s misconduct has made targets of Ledger customers, with their
`identities known or available to every hacker in the world. Ledger’s persistently deficient response
`compounded the harm. In failing to individually notify every affected customer or admit to the full
`scope of the breach, Ledger left customers unaware of the data breaches and concomitant hacking
`risks. The natural and foreseeable result was that many customers fell victim to hackers’ phishing
`emails disguised as emails from Ledger.
`11.
`Ledger customers would not have purchased Ledger wallets at all, or would not have
`paid as much as they did for Ledger wallets, had they known of Ledger’s lax security practices and
`unwillingness to promptly and completely disclose data breaches.
`12.
`Plaintiffs seek to redress Defendants’ misconduct, occurring from April 1, 2020, to
`the present (the “Class Period”), under state common law and consumer-protection statutes on
`behalf of the Class and several Subclasses of Ledger customers affected by the data breach described
`herein.
`II.
`PARTIES
`Plaintiffs
`13.
`Plaintiff John Chu is a resident of Georgia. He purchased and/or utilized devices
`and/or services from Ledger.
`14.
`Plaintiff Edward Baton is a resident of Georgia. He purchased and/or utilized devices
`and/or services from Ledger.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`4
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 5 of 43
`
`
`
`
`
`Defendants
`Defendant Ledger SAS is a French simplified joint-stock company headquartered in
`
`
`15.
`Paris, France.
`16.
`Defendant Ledger Technologies Inc. is a wholly-owned subsidiary of Ledger SAS.
`It is incorporated in Delaware, registered to do business in California, and, at the time of the breach,
`was headquartered in San Francisco, California and has a substantial office at 121 2nd St #4, San
`Francisco, California 94105.
`17.
`Defendant Shopify Inc. is a Canadian Corporation with offices at 151 O’Connor
`Street, Ground floor, Ottawa, Ontario, K2P 2L8.
`18.
`Defendant Shopify (USA) Inc. is a Delaware corporation and registered to do
`business in California. Up until a week before it announced the data breach, its principal place of
`business was in San Francisco, California. It now lists Ottawa, Canada as its principal place of
`business. It is a wholly-owned subsidiary of Shopify Inc.
`III.
`JURISDICTION AND VENUE
`19.
`Jurisdiction of this Court is founded upon 28 U.S.C. § 1332(d) because the matter in
`controversy exceeds the value of $5,000,000, exclusive of interests and costs, there are more than
`100 class members, and the matter is a class action in which any member of a class of plaintiffs is a
`citizen of a state different from any defendant.
`20.
`This Court has personal jurisdiction over all parties.
`21.
`Shopify (USA) Inc. is registered to do business in California, and for the vast-
`majority of the relevant time period, listed a California address as its principal place of business.
`22.
`Similarly, Ledger Technologies is registered to do business in California has a
`substantial office at 121 2nd St #4, San Francisco, California 94105.
`23.
`Ledger SAS dominates and controls Ledger Technologies’ internal affairs and daily
`operations. Not only is Ledger Technologies a wholly-owned subsidiary of Ledger SAS, but there
`is substantial overlap among their executives. For example, the Chief Executive Officer (“CEO”) of
`Ledger Technologies is Pascal Gauthier, who is also the Chairman and CEO of Ledger SAS. Ledger
`Technologies’ secretary is listed as Antione Thibault, who is the general counsel of Ledger SAS.
`
`CLASS ACTION COMPLAINT
`5
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 6 of 43
`
`
`
`Ledger Technologies’ Chief Financial Officer (“CFO”) is the CFO of Ledger SAS. Though Ledger
`SAS is not registered to do business in California, it boasts that it has employees in “Paris, Vierzon,
`and San Francisco” without differentiating between the two entities.
`24.
`Shopify Inc. dominates and controls Shopify (USA) Inc.’s internal affairs and daily
`operations. Not only is Shopify (USA) a wholly-owned subsidiary of Shopify, but as in Ledger’s
`case, there is a substantial overlap among its executives. Shopify (USA)’s CEO and CFO is Amy
`Shapero—the CFO of Shopify. The Secretary of Shopify (USA) is Shopify’s Chief Legal Officer.
`In addition, Shopify’s job listings notes that it will “hire you [ ] anywhere” as long as it has “an
`entity where you are.” That is, Shopify does not differentiate between its entities for any job
`responsibilities and thus does substantial business through the American employees it hires through
`its subsidiary formerly located in California.
`25.
`This Court also has personal jurisdiction over Shopify and Shopify (USA) because
`they solicit customers and transact business in California, including with Ledger and those who
`purchased products or services from Ledger.
`26.
`This Court also has personal jurisdiction over Ledger and Ledger Technologies
`because they solicit customers, including Plaintiffs and Class members, in the United States and
`California. In fact, 33% of the compromised two hundred and seventy-three thousand accounts with
`address information belonged to Class members with U.S. addresses. This Court also has personal
`jurisdiction over Ledger and Ledger Technologies because Shopify (USA) acted as those entities’
`agent for the conduct giving rise to Plaintiffs’ claims. With respect to the breached data of Ledger’s
`customers, the responses to the breaches, and the conduct giving rise to Plaintiffs’ causes of action,
`Ledger had the right to control the conduct of Shopify, which acted as Ledger’s agent and was
`authorized to act on Ledger’s behalf with respect to Ledger’s customers.
`IV.
`FACTUAL ALLEGATIONS
`A. Bitcoin and Crypto-Assets
`27.
`A crypto-asset is a digital asset designed to work as a medium of exchange or a store
`of value or both. Crypto-assets leverage a variety of cryptographic principles to secure transactions,
`control the creation of additional units, and verify the transfer of the underlying digital assets.
`
`CLASS ACTION COMPLAINT
`6
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 7 of 43
`
`
`
`28.
`Bitcoin was the world’s first decentralized crypto-asset. It is also the largest and most
`popular crypto-asset, with a market capitalization of approximately $1.08 billion. Bitcoin spawned
`a market of other crypto-assets that, together with Bitcoin, have a current market capitalization of
`approximately $1.94 trillion. (The term “bitcoin” can refer to both a computer protocol and a unit
`of exchange. Accepted practice is to use the term “Bitcoin” to label the protocol and software, and
`the term “bitcoin” to label the units of exchange.)
`29.
`At its core, Bitcoin is a ledger of addresses and transfer amounts that tracks the
`ownership and transfer of every bitcoin in existence. This ledger is called the blockchain. The
`blockchain is completely public.
`30.
`Blockchains act as the central technical commonality across most crypto-assets.
`While each blockchain may be subject to different technical rules and permissions based on the
`preferences of its creators, they are typically designed to achieve the similar goal of decentralization.
`31.
`In April 2013, there were only seven crypto-assets listed on coinmarketcap.com, a
`popular website that tracks the crypto-asset markets. As of this filing, the site monitors more than
`9,112 crypto-assets.
`1. Transacting with Bitcoin and Blockchain Addresses
`32.
`Because all blockchain addresses and transfers are public, the way to verify
`ownership of an address is through the use of public and private keys.
`33.
`Each address has one public key and one private key associated with it. With the
`private key, one can control the address and can move bitcoin in or out of the account. The public
`key is more like a digital signature that is used to verify ownership and transfers of funds. The
`blockchain address, public key, and private key are often mathematically related to one another.
`34.
`The private key is, however, the only mechanism that allows for the transfer of
`crypto-asset. With the private key—and nothing more—a person can implement an untraceable
`transfer of the crypto-asset from one digital address to another. Without the private key, the crypto-
`asset can never be transferred. In other words, anyone with the private key has total control over
`the funds. Thus, to safeguard crypto-assets, one must keep the private key private.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`7
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 8 of 43
`
`
`
`2. Security and Crypto-Assets
`35.
` It is the cryptographic principals behind the use of public and private keys that give
`crypto-assets their name. Cryptography is at the heart of blockchain transactions, and security is
`one of the chief advantages and selling points of the technology.
`36.
`Nonetheless, since the inception of crypto-assets, there have been high-profile hacks
`to steal them. One of the first large Bitcoin exchanges (handling over 70% of all Bitcoin transactions
`at the time) lost a staggering 850,000 bitcoins to theft, with a value exceeding $49 billion USD
`today.
`
`37.
`It has been estimated that over $4 billion crypto-assets were lost to theft and related
`crimes in 2019.1 That risk of theft continues today.
`38.
`Because it is nearly impossible to guess a user’s private key, hackers employ various
`methods to gain access to private keys. Once a hacker obtains the private key for an address, the
`hacker controls its funds. Unlike traditional accounts housed at banks, there are no approvals or
`fraud monitoring warnings for moving crypto-assets out of an account. Moreover, any transfer is
`effectively untraceable and irreversible, leaving the recipient immune from identification or claw-
`back.
`
`Given this constant threat of theft, security over an individual’s private keys is
`
`39.
`paramount.
`B. Ledger and Hardware Wallets
`40.
`Ledger offers solutions to consumers to keep their crypto-assets safe. Ledger’s main
`product offerings are “hardware wallets.” These are physical consumer items that appear similar to
`a USB storage device. This is an example of a Ledger hardware wallet:
`
`
`1 Jeb Su, Hackers Stole Over $4 Billion From Crypto Crimes In 2019 So Far, Up From $1.7 Billion
`2018,
`FORBES
`(Aug.
`15,
`2019,
`01:49
`PM
`EDT),
`In
`All
`Of
`https://www.forbes.com/sites/jeanbaptiste/2019/08/15/hackers-stole-over-4-billion-from-crypto-
`crimes-in-2019-so-far-up-from-1-7-billion-in-all-of-2018/?sh=42ef46855f58.
`
`CLASS ACTION COMPLAINT
`8
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 9 of 43
`
`
`
`
`
`41.
`Despite being named a “wallet,” such wallets do not “hold” cryptocurrency in the
`way a traditional wallet stores cash. Rather, consumers store their private keys on these physical
`devices, which are never connected to the internet (at least in the case of Ledger’s products).
`42.
`The wallet itself can be accessed only by entering a PIN. Simply misplacing the
`wallet thus poses no risk of theft. Ledger offers for sale two types of hardware wallets: the Ledger
`Nano S and the Ledger Nano X.
`43.
`Ledger also produces “Ledger Live,” a software product designed to interact with
`devices. This screenshot shows its core functionality, in that a user can use the software to buy, sell,
`send, and receive various crypto-assets:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`9
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 10 of 43
`
`
`
`
`
`44.
`Ledger has been highly successful selling these devices and services. Having raised
`$88 million in funding, it is one of the market leaders for crypto-asset security.
`1. Hacking Hardware Wallets
`45.
`Users of hardware wallets generally face discrete risks of theft by hacking because
`private keys exist only where the owners store them. If an owner stores the private keys only on a
`hardware wallet with no internet connectivity—and not on a personal computer—then traditional
`hacking cannot reveal those private keys. Instead, the main sources of risk are: (1) “phishing” attacks
`to trick a user into revealing the private PIN to their hardware wallet; or (2) physical intimidation
`that forces users into paying money or revealing that information to a hacker.
`46.
`Phishing is the practice of purporting to be a legitimate institution and contacting
`targets with the goal of soliciting passwords, banking information, or other sensitive information.
`Common examples of this practice include mass spam emails sent to mimic the look and feel of a
`banking website. The email recipient receives the email, believes she needs to link to the account to
`update information, clicks a link in the email that goes to a sham website made to look like the real
`
`CLASS ACTION COMPLAINT
`10
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 11 of 43
`
`
`
`bank website, and enters real login information into the sham website. The owners of the sham
`website then possess that victim’s real banking login and password.
`47.
`Internet users are becoming more and more savvy to phishing, however, requiring
`hackers to craft attacks that are increasingly realistic and personalized and less reliant on large-scale
`mass efforts.
`48.
`Phishing attacks are also generally harder to accomplish against Ledger users, who
`are typically more skeptical and security conscious and, in turn, savvier to phishing practices. For
`example, Ledger users will commonly create special email addresses used just for interacting with
`accounts that manage their crypto assets. And Ledger users will often have a separate dedicated
`phone number to use for dual-factor authentication when interacting with their crypto assets.2 These
`dedicated email addresses and phone numbers add another layer of protection to avoid phishing
`attacks. Users know that crypto-asset-related emails, texts, or calls to any “main” email address or
`phone number are illegitimate.
`49.
`Similarly, using a separate phone number can protect users from other attacks, such
`as SIM swap attacks.3 A SIM swap attack occurs when an attacker gains control of an individual’s
`phone number by convincing the individual’s mobile carrier to switch it to a new SIM card—one
`that the attacker possesses. Once attackers gain control of that phone number, they can then bypass
`dual-factor authentication requirements.
`50.
`Plaintiffs—who have professional backgrounds, including in technology—were as
`savvy as anyone buying crypto assets and hardware wallets as far back as 2017. Accordingly, in
`addition to buying multiple Ledger products for storing their crypto assets, Plaintiffs took other
`precautions. Plaintiff Baton, for example, acquired a separate mobile phone and always interacted
`
`
`2 Dual authentication is a method in which a user is granted access to some system or device only
`after successfully presenting two or more pieces of evidence of rightful access, such as unique
`knowledge (e.g., a password) or unique possession (e.g., a key).
`3 SIM stands for “subscriber identification module,” and a SIM card is a physical circuit that is used
`to securely store the unique identifier of any user on a cellular network.
`
`CLASS ACTION COMPLAINT
`11
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 12 of 43
`
`
`
`with crypto assets using a virtual private network to encrypt communications and shield his IP
`address.
`51.
`As to physical intimidation, even the savviest internet user cannot insulate himself
`from such threats. A hacker can contact an owner of crypto-assets and threaten the owner with
`physical violence unless an effective ransom is paid (usually in the form of an untraceable transfer
`of crypto-assets transfer to the hacker). These threats are rare. Without knowing an owner’s home
`address, physical location, or even phone number, a hacker would have difficulty making a credible
`threat prompting payment from the victim. And hackers cannot identify viable targets by simply
`looking up publicly listed names, phone numbers, and addresses. Crypto-assets have not yet been
`widely adopted; therefore, attackers have no way of knowing whether would-be targets own crypto-
`assets or hardware wallets. In addition, for owners of crypto-assets, there is no analog for the
`physical bank ATM—where would-be attackers could potentially wait, identify victims with funds,
`and intimidate those victims.
`52.
`For these reasons, the single greatest point of vulnerability for owners of Ledger
`wallets is public disclosure of the information that a particular person owns the wallet. If hackers
`know the names and/or email addresses of people who own Ledger wallets, then hackers can target
`those people with sophisticated phishing schemes and tailored threats.
`53.
`Accordingly, by operating in the crypto-asset security space, Ledger places itself
`between user’s funds and would-be hackers. The anonymity of its customer list is a key and obvious
`element of the security that Ledger offers. By analogy, a manufacturer of state-of-the-art lock safes
`would not publish its customer list, which is valuable to would-be thieves seeking to identify targets
`possessing high-value items. Similarly, public disclosure of Ledger’s customers puts those
`individuals in the crosshairs of the very hackers the company seeks to impede.
`2. Ledger Advertises State-of-the-Art Security for Crypto-Assets
`
`54.
`Ledger’s consistent message to consumers is that Ledger wallets offer the best
`possible protection for crypto-assets. Their tagline embodies this value proposition: “If you don’t
`want to get hacked, get a Ledger wallet.” Ledger represented to consumers, prior to the data breach
`at issue, the following:
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`12
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 13 of 43
`
`
`
`Critical digital assets are the new oil and securing them is the most
`important challenge for the coming years.
`
`That’s where we come in. We are Ledger.
`
`We are a unique digital security ecosystem that provides protection
`and is built on verifiable trust across our people, hardware and
`software. And in today’s world, we know that trust deserves proof.
`This is why we provide transparency into how our technology works.
`
`We relentlessly stress-test our own technology solutions. Our Ledger
`Donjon team is made up of world-class experts with extensive
`backgrounds
`in
`the security and smartcard
`industries. They
`continuously look for vulnerabilities on Ledger products as well as
`our providers’ products in an effort to analyze and improve the
`security. We know security means never standing still.
`
`(emphasis added).
`
`55.
`Ledger further and publicly asserted, prior to the data breach at issue:
`
`
`
`
`
`
`
`
`
`“At Ledger we are developing hardware wallet technology that
`provides the highest level of security for crypto assets;”
`
`“Ledger hardware wallet, combined with the Ledger Live application,
`is the best solution to secure and control your crypto assets;”
`
`“Ledger hardware wallets are designed with the highest security
`standard to keep your crypto secure at all time;”
`
`“Ledger enables resilience through verifiable trust. Knowing trust is
`the greatest way to make our world truly move forward and progress.”
`
`
`
`
`
`56.
`
`Ledger also republished, prior to the data breach at issue, acknowledgments from
`
`
`
`reputable third-party commentators:
`
`“French Crypto Wallet Ledger Is Solving Bitcoin’s Biggest Flaw” (as
`featured in Forbes);
`
`“Ledger makes sure private keys never become accessible to thieves,
`online or anywhere else” (as featured in Bloomberg);
`
`
`
`
`
`
`
`
`
`
`
`
`57.
`Through those statements, Ledger conveyed to consumers that Ledger wallets,
`coupled with Ledger’s services, provide the highest standard of security for owners of crypto-assets.
`Ledger further conveyed that it was tirelessly assessing its wallets and supporting services for
`
`“Ledger removes the risk of being hacked” (as featured on CNBC).
`
`
`CLASS ACTION COMPLAINT
`13
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 14 of 43
`
`
`
`vulnerabilities, while adapting to protect against those threats. By buying a Ledger wallet,
`consumers purportedly were buying into a comprehensive security support system that maximized
`protections against threats to crypto-assets.
`58. Making the forgoing, unequivocal representations, Ledger sold Class members the
`Ledger Nano X wallet for $119 and the Ledger Nano S wallet for $59. Class members would not
`have purchased these products at all, or would have paid significantly less for them, had they known
`of Ledger’s lax security practices and unwillingness to promptly and completely disclose data
`breaches.
`
`3. Ledger Uses Shopify as an E-commerce Vendor
`59.
`Ledger sells its Nano products through a number of distributors, including retailers
`like Amazon and Walmart. It also sells directly to consumers through https://shop.ledger.com/ (the
`“Shopping Website”).
`60.
`Shopify powers Ledger’s Shopping Website. Shopify is an e-commerce giant. Over
`one million businesses use its platform, and over $61 billion of sales occurred on its platform
`through these businesses in 2019. It is the largest publicly-traded company in Canada.
`61.
` Shopify’s success is based on providing services to allow companies to easily
`operate online stores. Shopify provides e-commerce solutions for businesses to allow them to easily
`create digital storefronts. For example, Shopify allows you to create a well-designed web layout,
`provides a payment provider to accept credit card payments, and makes various profit and inventory
`applications available. These solutions are essentially a software product that companies subscribe
`to in order to host digital stores.
`62. When users purchase directly from Ledger on its Shopping Website, they must
`provide certain personal information before placing an order, such as their physical address, phone
`number, and email address. Because Ledger uses Shopify’s services, Shopify acts as an intermediary
`between Ledger and purchasers of Ledger’s products. Therefore, Shopify also has access to the
`personal information that purchasers provide.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`CLASS ACTION COMPLAINT
`14
`
`
`
`Case 3:21-cv-02470-JSC Document 1 Filed 04/06/21 Page 15 of 43
`
`
`
`63.
`Shopify’s terms of service obligate it to “take all reasonable steps” to protect the
`disclosure of confidential information, including “names, addresses and other information regarding
`customers and prospective customers.”
`C. The Ledger Data Breach
`64.
`In mid-2020, between April and June, certain Shopify employees took advantage of
`Shopify’s access to the personal information of Ledger’s customers and acquired and exported
`Ledger’s customer transactional records (the “Data Breach”). The Shopify employees also obtained
`data relating to other merchants.
`65.
`On September 22, 2020, Shopify announced that: (1) “two rogue members of our
`support team were engaged in a scheme to obtain customer transactional records of certain
`merchants;” (2) the “incident involv[ed] the data of less than 200 merchants;” and (3) “Our teams
`have been in close communication with affected merchants to help them navigate this issue and
`address any of their concerns.” This announcement made it clear that Shopify was aware of the data
`breach before the day of the announcement and even had time to “conduct an investigation” and
`notify affected merchants. On information and belief, Shopify knew of the data breach more than
`one week before.
`66.
`On information and belief, those rogue employees were located in America, as
`immediately after noting that the employees’ access was terminated, Shopify’s statement
`highlighted its compliance with American (rather than Canadian) legal authorities in stating that it
`was “currently working with the FBI and other international agencies.” To the extent these
`employees were American, they were most probably employed by its California office.
`67.
`The Data Breach in fact involved the data of approximately 272,000 people,4
`approximat