`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF DELAWARE
`
`GREGORY FORSBERG,
`CHRISTOPHER GUNTER, SAMUEL
`KISSINGER, AND SCOTT SIPPRELL,
`individually and on behalf of all others
`similarly situated,
`
`
`Plaintiffs,
`
`v.
`
`SHOPIFY, INC., SHOPIFY HOLDINGS
`(USA), INC., SHOPIFY (USA) INC.,
`AND TASKUS, INC.
`
`
`Defendants.
`____________________________
`
`
`
`
`
` Case No.:
`
`
`
`
`
`JURY TRIAL DEMANDED
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`Individually and on behalf of others similarly situated, Plaintiffs Gregory Forsberg (“Mr.
`
`Forsberg”), Christopher Gunter (“Mr. Gunter”), Samuel Kissinger (“Mr. Kissinger), and Scott
`
`Sipprell (“Mr. Sipprell”) (collectively, “Plaintiffs”), bring this action against Defendants
`
`Shopify, Inc., Shopify Holdings (USA), Inc., Shopify (USA) Inc. (collectively, “Shopify”), and
`
`TaskUs, Inc. (“TaskUs”) (collectively, the “Defendants”). Plaintiffs’ allegations are based upon
`
`personal knowledge as to themselves and their own acts, and upon information and belief as to
`
`all other matters based on the investigation conducted by and through Plaintiffs’ attorneys.
`
`Plaintiffs believe that substantial additional evidentiary support for the allegations set forth
`
`herein exists and will be revealed after a reasonable opportunity for discovery.
`
`
`
`
`
`
`
`1
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 2 of 62 PageID #: 2
`
`I.
`
`INTRODUCTION
`
`1.
`
`This is a class action for damages against TaskUs and Shopify for their failure to
`
`exercise reasonable care in securing and safeguarding consumer information in connection with a
`
`massive 2020 data breach impacting Ledger SAS (“Ledger”) cryptocurrency hardware wallets
`
`(“Ledger Wallets”), resulting in the unauthorized public release of approximately 272,000 pieces
`
`of detailed personally identifiable information (“PII”), including Plaintiffs’ and “Class” (defined
`
`below) members’ full names, email addresses, postal addresses, and telephone numbers.
`
`2.
`
`Ledger sells Ledger Wallets through its e-commerce website, which is run on
`
`Shopify’s platform.
`
`3.
`
`Ledger Wallets store the “private keys” of an individual’s crypto-assets. These
`
`private keys are similar to bank account passwords in that access to the private keys allows an
`
`individual to transfer the assets out of a cryptocurrency account. Unlike a bank account
`
`transaction, however, cryptocurrency transactions are non-reversible—once assets are transferred
`
`out of a cryptocurrency account, they are able to be distributed or spent with little information
`
`about where they could have gone.
`
`4.
`
`Ledger Wallets were marketed as providing owners of cryptocurrency with the
`
`best security for their cryptocurrency because they hold password information in a physical form
`
`and restrict transfer of crypto-assets in an individual’s account unless the physical device is
`
`mounted to a computer and a twenty-four-word passphrase is entered.
`
`5.
`
`Because of these features, Ledger’s platform is built on marketing the utmost
`
`security and trust to its customers. Ledger and Shopify know that cryptocurrency transactions
`
`are publicly visible through a transaction’s underlying blockchain, but cannot be traced back to
`
`their particular owner without more information. When hackers know the identity of a
`
`
`
`2
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 3 of 62 PageID #: 3
`
`cryptocurrency owner and know what platform that consumer is storing their crypto-assets on,
`
`the hacker can work backwards to create a targeted attack aimed at luring hardware wallet
`
`owners into mounting their hardware device to a computer and entering their passphrase,
`
`allowing unfettered access and transfer authority over their crypto-assets.
`
`6.
`
`Accordingly, to the world of cybercriminals, Ledger’s customer list, which was in
`
`the possession of Shopify at the time of the “Data Breach” (defined below), is extremely
`
`valuable. By accessing Ledger customer PII entrusted to Shopify, such as full names, email
`
`addresses, postal addresses, and telephone numbers, hackers can engineer targeted
`
`communications—known as phishing attacks—that compel users to unlock their cryptocurrency
`
`accounts and make untraceable, irreversible transfers of cryptocurrency into these criminals’
`
`accounts overseas and within the United States. The security of Ledger customers’ PII is
`
`accordingly of the utmost importance. One instance of a customer mistakenly releasing their
`
`account information to hackers can lead to the loss of millions of dollars in cryptocurrency that
`
`will never be returned to their owner.
`
`7.
`
`With their PII in hackers’ hands, Plaintiffs and Class members are no longer in
`
`possession of a secure cryptocurrency portfolio.
`
`8.
`
`Ledger and Shopify understand the seriousness of the misuse of customers’ PII,
`
`and purport to address these issues. For example, Ledger advertises that it has “the highest
`
`security standards,” and that it “continuously look[s] for vulnerabilities on Ledger products as
`
`well as [its] providers’ products in an effort to analyze and improve the security,” and that its
`
`products provide “the highest level of security for crypto assets.”1 Shopify touts that it “work[s]
`
`
`1 The Ledger Donjon, LEDGER (Oct. 23, 2019), https://www.ledger.com/academy/security/the-
`ledger-donjon (last accessed Feb. 22, 2022).
`
`
`
`3
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 4 of 62 PageID #: 4
`
`tirelessly to protect your information, and to ensure the security and integrity of our platform.”2
`
`9.
`
`Ledger has built a reputation of maintaining the highest trust possible with its
`
`customers, including those related to consumer PII that the company shares with third parties
`
`like Shopify. Below are true and correct screenshots of Ledger’s advertising claims on its
`
`website, as well as the company’s policies related to the information that it shares with third
`
`parties in the course of its business:
`
`
`
`
`2 Privacy Policy, SHOPIFY (Jan. 10, 2022), https://www.shopify.com/legal/privacy#information-
`protection (last accessed Feb. 22, 2022).
`
`
`
`4
`
`
`
`YOUR 24-WORD RECOVERY PHRASE
`
`5 onlyhard
`ryptoa
`
`,
`
`+
`
`°
`ures
`y certifindhal
`
`MAKE YOUR DEVICE SECURELY YOURS: THE 24-
`WORD PHRASE
`
`How to secure your PIN code?
`
`5
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 5 of 62 PageID #: 5
`
`WHY IS LEDGER NANO SO SECURE’?
`* Beginner
`
`Key Takeaways:
`Your crypto assets are completely intangible and exist solely on the bleckcnain
`assets are
`— How your handle your private keys for assets onthe blockchainwill define now secure those
`dger hardware wallets allow you to store your keys within a device th
`pro
`d by Secure Element
`a miltary grade securitychip. Each device generatesits own, unique 24-word recovery phrase which can be
`J to recover your associatedfunds
`If the device itself Is lost
`edger hardware wal
`low users to set a PIN code, so that nobody else can use the device to access
`your assets, evenif itis lost ar stolen
`
`—
`
`A DEVICE THAT GIVES YOU FULL OWNERSHIP
`OVER YOUR GRYPTO
`in crypto: security and
`jockehain,
`they ar:
`
`WHY IS LEDGER NANO SO SEGURE: DON'T
`TRUST, VERIFY
`
`At Ledger, levelsofsecurity for crypte2 pior wore w echnology that pr = un. ented
`
`
`
`
`
`
`
`
`
`attacks.
`Tr
`ne
`likes of passpor
`\ private keys stay safe ar
`OS. One
`you with
`.
`on the market, cartified by
`
`ha
`
`r
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 6 of 62 PageID #: 6
`
`a
`r
`_LEDGER,
`
`| When do we collect your data and why?
`
`Data collected through our websites
`
`Data collected through our Ledger Live
`application
`
`Data collected by third parties accessible
`from LedgerLive
`
`Who do weshare your Data with?
`
`Wheredo westore your Data?
`
`How do we keep your Data secure?
`
`Products ~ Learn ~
`
`Crypto Assets
`
`For Business ~
`
`For Developers
`
`Support
`
`eB
`
`DATA COLLECTED THROUGH OUR WEBSITES
`
`
`
`Purchase of a Ledger
`product
`
`
`Name,
`email address, delivery and
`billing address, phone number
`company name,intra-community VAT
`number, product bought, delivery
`method and payment, order amount,
`currency
`
` ocessing orders,
`invoices and payments,
`del
` y, analytics,
`preventing fraud,
`managing complaints and
`sending notifications
`
`for pro’
`Reason
`(crerBert)
`
`Performance of the contract
`you agreed with Ledgerupon
`buying one of our products
`
`3
`Active database:
`months fromdelivery
`of the product
`Archive: 10 years (tax
`and accounting
`obligations)
`
`Sending emails on our
`latest developments,
`
`promations and customer
`surveys
`
`
`Processing the reques
`quality control, verifying
`information is correct and
`preventing fraud
`
`Consentto receive mark
`emails.
`
`3 years fromthe
`request
`
`Ledgers legitimate interest
`
`5 years fromthe
`request
`
`Requestto receive marketing
`emails (including our
`newslet
`
`Email address, campaign number,
`logs
`
`Name, email and postal address,
`telephone number (for product
`exchanges), Handle used on social
`media, content of our exchanges,
`identification document(if verification
`is necessary)
`
`Request sent to customer
`services(on the dedicated
`platform or through social
`media}
`
`Brow ng our websites
`Please note: We collect your
`
`Browsing Data using various
`Technologies such as cookies
`{far mare info mation,ple
`
`visit our Cookies Policy)
`
`Consent or refusalto savecookies on
` your
`
`are saved(or not
`Cookies
`saved)onthe device
`
`
`
` interest
`
`Legi
`
`6 monthsfromthe
`user's decision
`
`Thetime needad to
`IP address, operating system,
`Bug-tixing, analytics,
`Dependenton the purposeof
`thecookies saved:
`browser, devices used, date and time
`combating fraud,
`fulfil the purpase of
`
`terest for technical cookies~Consent
`of visit, URLs of clickstreamto,
`thecookies saved (fo
`personalising your
`for session cookies) session
`throughand fromour website,
`experience, displaying
`example
`products viewed and searched,
`adverts on third-party
`for functional, performance
`andadverti ing cookies
`websites
`download errors, duration of visit an
`
`certain pages,
`interaction betweer
`pages
`
`a email address, family
`Name,
` situation, profession, country, prc
`
`opinion, comments
`
`Carrying aut marketing
`improving our
` 6,
`products and services
`
`Legitims 2 interest
`
`
`
`Participating in our raferral
`programme
`
`Name, email address and IP address
`of referrers and referral recipients,
`password of referrer, purchase
`amountof referral recipients
`
`t to be re-contacted
` subject of our B2B
`products
`
`
`role, email address,
`Name, company,
`telephone number, country
`
`Managing the programme,
`sending emails (referral
`offers, purchase made by
`referral recipients,
`
`attributing rewards)
`
`h g contact, ser
`‘emails on our latest
`developments, promotions.
`
`
`Performanceof the contract
`you agreed with Ledger by
`participating in the
`programme
`
`Legitimateinterest
`
`6 months fromthe
`endof the survey
`
`For as long as the
`referrer is a member
`of the programme
`exceptin the event of
`prolonged
`
`5 yearsfromthe
`request
`
`
`ofthe eedwith LedgerPerformance
`‘ouraffiliate
`Signin
` Foraslang asthe
`
`program
`company, BTC
`member
` ntity document,
` rogr
`sending emails on the
`
`
`community VAT nt mber andproot of
`of the programme,
`programme'slat
`
`whensighingup to the
`ne
`exceptin the eventof
`developments, remuni
`residence (whererequired)
`
`
`
`
`
`
`
`
`
`
`6
`
`
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 7 of 62 PageID #: 7
`
`
`
`
`
`
`
`
`
`10.
`
`Despite the repeated promises and world-wide advertising campaign touting
`
`unmatched security for its customers, Ledger—and its data processing vendors, Shopify and
`
`TaskUs—repeatedly and profoundly failed to protect its customers’ identities, causing targeted
`
`attacks on thousands of customers’ crypto-assets and causing Class members to receive far less
`
`security than they thought they had purchased with their Ledger Wallets.
`
`
`
`7
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 8 of 62 PageID #: 8
`
`11.
`
`Between April and June of 2020, hackers gained access to and exploited a Ledger
`
`database vulnerability through its e-commerce vendor, Shopify, and TaskUs as a third-party
`
`contractor, in order to obtain a list of Ledger’s customers’ PII (the “Data Breach”). By June of
`
`2020, hundreds of thousands of victims’ information had been traded on the black market,
`
`leaving Plaintiffs and Class members vulnerable to multiple phishing attacks.
`
`12.
`
`The known extent of the Data Breach became much worse over subsequent
`
`months. Between June and December of 2020, the hackers who had acquired the Ledger
`
`customer list from Shopify (due to Shopify and TaskUs negligence) had published the data
`
`online, providing over 270,000 names, email addresses, physical addresses, phone numbers, and
`
`other customer information to every hacker who wanted access to this information. The attacks
`
`on Ledger customers, targeted at obtaining their confidential wallet passphrases or forcing
`
`customers to transfer thousands of dollars in cryptocurrency to untraceable accounts across the
`
`world, increased exponentially. Customers lost money in phishing attacks and faced threats of
`
`physical violence or blackmail if they did not transfer crypto-assets to criminals around the
`
`world. Using the customer shipping addresses that Shopify and TaskUs failed to protect, hackers
`
`threatened to enter Ledger customers’ homes and assault them if they did not provide payment;
`
`some cybercriminals even sent targeted phishing attacks under the guise of Ledger customer
`
`service representatives, luring Data Breach victims to provide confidential passphrases to
`
`hackers and allowing their assets to be drained from their accounts.3
`
`13.
`
`In the face of these circumstances, rather than acting to protect customer
`
`information, Ledger, Shopify, and TaskUs did not even inform Plaintiffs and Class members of
`
`
`3 Tim Copeland, Ledger Won’t Reimburse Users After Major Data Attack, DECRYPT (Dec. 21,
`2020), https://decrypt.co/52215/ledger-wont-reimburse-users-after-major-data-hack
`8
`
`
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 9 of 62 PageID #: 9
`
`the Data Breach. Instead, Ledger initially denied that any compromise of the PII had occurred
`
`and continued to claim its products were superior because they provided the best protection for
`
`crypto-asset protection.
`
`14.
`
`By December 23, 2020, however, Ledger could no longer cover up the Data
`
`Breach. The hacked customer list had been posted publicly online and had become widely
`
`available.
`
`15.
`
`In response to this now-public reality, Ledger sent some customers affected by the
`
`Shopify and TaskUs Data Breach an email notifying them for the first time that their information
`
`had been affected as the result of a breach of Shopify’s merchant database; however, the email
`
`notice provided nothing more than a passing reference to the Shopify incident further detailed
`
`herein.
`
`16.
`
`Below is a true and correct recitation of the notification email sent to Ledger
`
`customers affected by the Data Breach:
`
`Dear client,
`
`
`On December 23, 2020, Shopify, our e-commerce service provider,
`informed Ledger of an incident involving merchant data. Rogue
`agent(s) of their customer support team obtained Ledger customer
`transactional records in April and June 2020. This is related to the
`incident reported by Shopify in September 2020, which concerns
`more than 200 merchants, but until December 21, 2020, Shopify had
`not identified this affected Ledger as well.
`
`
`We were able to examine the stolen data together with a third party
`forensic firm to identify the impacted customers.
`
`
`We regret to inform you that you are part of the customers whose
`detailed personal information was stolen by Shopify rogue agent(s).
`Specifically, your name and surname, detail of product(s) ordered,
`phone number and your postal address were exposed.
`
`
`We notified the French Data Protection Authority on December 26,
`2020. We are continuing to work with Shopify and law enforcement
`
`
`
`9
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 10 of 62 PageID #: 10
`
`on the case; an investigation is already underway, led by the FBI and
`the RCMP. Ledger also reported the events to the French Public
`Prosecutor and filed a complaint against the rogue agent(s).
`
`
`Thefts and attacks such as this cannot go uninvestigated or
`unprosecuted. We continue to work with law enforcement as well as
`private investigators on these cases, and we are adding more
`firepower by hiring additional private investigation capacity, adding
`experience and approaches to finding those responsible for these
`data thefts.
`
`
`FINALLY, keeping you secure is our reason for existing. We will
`soon release a technical solution that will remove the 24 words as
`the single pillar of the security of our hardware wallets and will open
`the door to funds insurance.
`
`If you would like more detail on the many steps we are taking to
`prevent such incidents in the future, please read this blog post.
`
`
`Sincerely,
`Pascal Gauthier
`Ledger CEO
`
`The notification email provided nothing more than a passing reference to the
`
`17.
`
`Shopify and TaskUs Data Breach, with the message containing a single hyperlink to a blog post
`
`on Shopify’s website from September of 2020 that describes the extent of the Data Breach. A
`
`true and correct screenshot of the blog post on Shopify’s website is copied below:
`
`
`
`10
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 11 of 62 PageID #: 11
`
`
`
`18.
`
`It would not be revealed until months later that the “rogue members” of Shopify’s
`
`support team included employees of TaskUs, Inc., a Delaware company that operates as a data
`
`vendor for a number of Shopify clients. Also revealed was that a hacker known as “Pokeball”
`
`solicited members of TaskUs who processed Shopify merchant data for a list of customers using
`
`various merchants’ services, including Ledger.4
`
`19.
`
`Defendants’ misconduct, including but not limited to their failure to (a) prevent
`
`the Data Breach and (b) take action in response thereto for approximately six months—if not
`
`longer—has made targets of Plaintiffs and Class members, with their identities known or
`
`available to every hacker in the world who wants access to this information.
`
`20.
`
`Defendants’ deficient response compounded the harm that has already been
`
`experienced by Plaintiffs and Class members. For example, by failing to notify every affected
`
`
`4 Natalie Wong & Gerrit De Vynck, Shopify Says ‘Rogue’ Employees Stole Data from
`Merchants, BLOOMBERG LAW (Sept. 22, 2020), https://news.bloomberglaw.com/privacy-and-
`data-security/shopify-says-rogue-employees-stole-data-from-merchants?context=article-related.
`11
`
`
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 12 of 62 PageID #: 12
`
`customer or admit to the full scope of the Data Breach, Shopify and TaskUs left Plaintiffs and
`
`Class members unaware of the Data Breach and concomitant hacking risks. The direct result of
`
`Defendants’ failure to adequately warn their merchant clients of the Data Breach is many Ledger
`
`customers falling victim to hackers’ phishing emails and resulting fraud.
`
`21. Moreover, Shopify’s deficient response to the Data Breach included a failure to
`
`provide any support for merchant clients, like Ledger, whose customers had been targeted in the
`
`incident, as well as negligently entrusting Ledger customer information to TaskUs’s data
`
`processing team who, in turn, failed to maintain the information using adequate data safety
`
`standards.
`
`22.
`
`Shopify is therefore responsible for the actions of TaskUs in its maintenance (or
`
`failure to maintain) Plaintiffs’ and Class members’ PII.
`
`23.
`
`TaskUs, who upon information and belief brokered the contract with Shopify to
`
`process Shopify data through TaskUS offices located in the United States, also failed to properly
`
`maintain Plaintiffs’ and Class members’ highly sensitive PII, which it knew would lead to
`
`targeted cyberattacks resulting in thousands of victims losing cryptocurrency funds that they
`
`expected would be kept secure.
`
`24.
`
`Had Plaintiffs and Class members known that the information necessary to
`
`perform targeted phishing attacks against them would not be adequately protected by Shopify
`
`and TaskUs, they would not have paid the amount of money they did to purchase the Ledger
`
`Wallets. Nor, for that matter, would they have agreed to have their data transmitted to either
`
`company in order to perform e-commerce support for Ledger’s operations.
`
`25.
`
`On behalf of the Class and several Subclasses of victims impacted by the Data
`
`Breach described herein, Plaintiffs seek, under state common law and consumer-protection
`
`
`
`12
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 13 of 62 PageID #: 13
`
`statutes, to redress Defendants’ misconduct occurring from April 1, 2020 to the present (the
`
`“Class Period”).
`
`A.
`
`Plaintiff Gregory Forsberg
`
`II.
`
`PARTIES
`
`26.
`
`Plaintiff Forsberg is a citizen of Arizona and resides in Tucson, Arizona. Mr.
`
`Forsberg purchased a Ledger Nano S for use as a cryptocurrency wallet to control his
`
`cryptocurrency assets. On or around April of 2019, Mr. Forsberg saw advertisements online for
`
`Ledger services and hardware. Relying on these representations, Mr. Forsberg purchased the
`
`Ledger Nano device from an online retailer and transferred his cryptocurrency assets to his
`
`Ledger device. In adding cryptocurrency to his Ledger Wallet, he was required to provide his
`
`PII to Ledger’s online service, including the types of PII mentioned above in the “Data Collected
`
`Through Our Websites” section, including his first and last name, email address, telephone
`
`number, and postal address. In making his purchase decision, Mr. Forsberg relied upon the data
`
`security services advertised by Ledger, including the company’s use of third parties and
`
`independent contractors such as Shopify and TaskUs to process customer PII. Mr. Forsberg
`
`would not have purchased the Ledger Nano S device had he known that the sensitive information
`
`collected by Ledger would be at risk because of the negligence of Defendants, to whom Ledger
`
`entrusted Mr. Forsberg’s PII. Mr. Forsberg has suffered damages described below, including but
`
`not limited to the fraudulent removal of cryptocurrency from his portfolio due to a sophisticated
`
`scam attack on his Ledger wallet, and remains at a significant risk of additional attacks now that
`
`his PII has been leaked online.
`
`
`
`
`
`
`
`13
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 14 of 62 PageID #: 14
`
`B.
`
`Plaintiff Christopher Gunter
`
`27.
`
`Plaintiff Gunter is a citizen of North Carolina and resides in Asheville, North
`
`Carolina. Mr. Gunter purchased a Ledger Nano S device for use as a cryptocurrency wallet to
`
`control his cryptocurrency assets. On or around January of 2018, Mr. Gunter saw advertisements
`
`online for Ledger’s services and hardware. Relying on these representations, Mr. Gunter
`
`purchased the Ledger Nano S device from an authorized reseller on eBay and transferred his
`
`cryptocurrency assets from an online Coinbase wallet to the Ledger device using Ledger’s online
`
`platform in November of 2018. In making the transfer of his cryptocurrency assets from his
`
`Coinbase account to his Ledger device, he was required to provide his PII to Ledger’s online
`
`service, including the types of PII mentioned above in the “Data Collected Through Our
`
`Websites” section, including his first and last name, email address, telephone number, and postal
`
`address. In making his purchase decision, Mr. Gunter relied upon the data security services
`
`advertised by Ledger, including the company’s use of third parties and independent contractors
`
`such as Shopify and TaskUs to process customer PII. Mr. Gunter would not have purchased the
`
`Ledger Nano S had he known that the sensitive information collected by Ledger would be at risk
`
`because of the negligence of Defendants, to whom Ledger entrusted Mr. Gunter’s PII. Mr.
`
`Gunter has suffered damages described below, including but not limited to the fraudulent
`
`removal of cryptocurrency from his portfolio due to a sophisticated scam attack on his Ledger
`
`wallet, and remains at a significant risk of additional attacks now that his PII has been leaked
`
`online.
`
`C.
`
`Plaintiff Samuel Kissinger
`
`28.
`
`Plaintiff Kissinger is a citizen of Kentucky and resides in Burlington, Kentucky.
`
`Mr. Kissinger purchased two Ledger Nano S devices, a Ledger Nano X, and a Ledger Blue for
`
`
`
`14
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 15 of 62 PageID #: 15
`
`use as cryptocurrency wallets to control his cryptocurrency assets. On or around August of 2017
`
`and again in October of 2018 when Mr. Kissinger purchased the devices he saw advertisements
`
`online for Ledger services and hardware. Relying on these representations, Mr. Kissinger
`
`purchased the Ledger Nano device from an online retailer and transferred his cryptocurrency
`
`assets to his Ledger device. In adding cryptocurrency to his Ledger Wallet, he was required to
`
`provide his PII to Ledger’s online service, including the types of PII mentioned above in the
`
`“Data Collected Through Our Websites” section, including his first and last name, email address,
`
`telephone number, and postal address. In making his purchase decision, Mr. Kissinger relied
`
`upon the data security services advertised by Ledger, including the company’s use of third
`
`parties and independent contractors such as Shopify and TaskUs to process customer PII. Mr.
`
`Kissinger would not have purchased the Ledger Nano device had he known that the sensitive
`
`information collected by Ledger would be at risk because of the negligence of Defendants, to
`
`whom Ledger entrusted Mr. Kissinger’s PII. Mr. Kissinger has suffered damages described
`
`below, including but not limited to the fraudulent removal of cryptocurrency from his portfolio
`
`due to a sophisticated scam attack on his Ledger wallet, and remains at a significant risk of
`
`additional attacks now that his PII has been leaked online.
`
`D.
`
`Plaintiff Scott Sipprell
`
`29.
`
`Plaintiff Sipprell is a citizen of Florida and resides in Saint Augustine, Florida.
`
`Mr. Sipprell purchased a Ledger Nano S device for approximately $100 on or around December
`
`of 2017 for use as a cryptocurrency wallet to control his cryptocurrency assets. On or around
`
`December of 2017, Mr. Sipprell saw advertisements online for Ledger services and hardware.
`
`Relying on these representations, Mr. Sipprell purchased the Ledger Nano device from an online
`
`retailer while in Woodby Island, Washington and transferred his cryptocurrency assets to his
`
`
`
`15
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 16 of 62 PageID #: 16
`
`Ledger device. In adding cryptocurrency to his Ledger Wallet, he was required to provide his
`
`PII to Ledger’s online service, including the types of PII mentioned above in the “Data Collected
`
`Through Our Websites” section, including his first and last name, email address, telephone
`
`number, and postal address. In making his purchase decision, Mr. Sipprell relied upon the data
`
`security services advertised by Ledger, including the company’s use of third parties and
`
`independent contractors such as Shopify and TaskUs to process customer PII. Mr. Sipprell
`
`would not have purchased the Ledger Nano device had he known that the sensitive information
`
`collected by Ledger would be at risk because of the negligence of Defendants, to whom Ledger
`
`entrusted Mr. Sipprell’s PII. Mr. Sipprell has suffered damages described below, including but
`
`not limited to the fraudulent removal of cryptocurrency from his portfolio due to a sophisticated
`
`scam attack on his Ledger wallet, and remains at a significant risk of additional attacks now that
`
`his PII has been leaked online.
`
`E.
`
`Defendant TaskUs, Inc.
`
`30.
`
`Defendant TaskUs, Inc. is a Delaware corporation with its principal place of
`
`business registered at 1650 Independence Drive, Suite 100, New Braunfels, Texas 78132.
`
`TaskUs had access to Ledger customers’ PII and failed to secure the received PII or implement
`
`any security measures or even screening procedures to ensure that its agents, support
`
`representatives, and other individuals to whom Ledger and Shopify entrusted the Private PII data
`
`would ensure secure handling of the data.
`
`F.
`
`Defendant Shopify, Inc.
`
`31.
`
`Defendant Shopify, Inc. is a Canadian Corporation with offices at 151 O’Connor
`
`Street, Ground Floor, Ottowa, Ontario K2P 2L8.
`
`
`
`16
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 17 of 62 PageID #: 17
`
`G.
`
`Defendant Shopify Holdings (USA), Inc.
`
`32.
`
`Defendant Shopify Holdings (USA), Inc. is a Delaware corporation with its
`
`principal place of business in the United States. Shopify Holdings (USA), Inc. acts as a holding
`
`company for all of Shopify Inc.’s US-based subsidiaries.
`
`H.
`
`Defendant Shopify (USA) Inc.
`
`33.
`
`Defendant Shopify (USA) Inc. is a Delaware corporation with its principal place
`
`of business in Ottowa, Canada. It is a wholly owned subsidiary of Shopify, Inc. The Shopify
`
`entities had access to Ledger customers’ PII and failed to secure the received PII or implement
`
`any security measures or even screening procedures to ensure that its agents, support
`
`representatives, and other individuals to whom Shopify entrusted the private PII data would
`
`ensure secure handling of the data.
`
`34.
`
`Upon information and belief, Shopify (USA) Inc. and Shopify Holdings (USA),
`
`Inc. are the functional equivalents of Shopify, Inc. because the two entities make no distinction
`
`between themselves in the public eye and use the same logos, trademarks, and websites, making
`
`it impossible to know the extent of any of the Shopify entities’ involvement in this Data Breach.
`
`III.
`
`JURISDICTION AND VENUE
`
`35.
`
`Jurisdiction of this Court is founded upon 28 U.S.C. § 1332(d) because the matter
`
`in controversy exceeds the value of $5,000,000, exclusive of interests and costs, there are more
`
`than 100 class members, and the matter is a class action in which any member of a class of
`
`plaintiffs is a citizen of a different state from any defendant.
`
`36.
`
`This Court has personal jurisdiction over this action because Defendants Shopify
`
`(USA) Inc., Shopify Holdings (USA), Inc., and TaskUs, Inc. are Delaware corporations.
`
`
`
`17
`
`
`
`Case 1:22-cv-00436-UNA Document 1 Filed 04/01/22 Page 18 of 62 PageID #: 18
`
`37.
`
`Venue is proper in this District under 28 U.S.C. § 1391(b)(1) because Defendants
`
`Shopify (USA) Inc., Shopify Holdings (USA), Inc., and TaskUs, Inc. reside within this District.
`
`38.
`
`Plaintiffs are informed and believe, and thereon allege, that each and every one of
`
`the acts and omissions alleged herein were performed by, and/or attributable to, Defendants.
`
`39.
`
` Shopify, Inc. dominates and controls Shopify (USA) Inc.’s and Shopify Holdings
`
`(USA)’s internal affairs and daily operations. Not only is Shopify (USA) Inc. a wholly owned
`
`subsidiary of Shopify Holdings, which in turn is a wholly owned subsidiary of Shopify, Inc., but
`
`there is also a substantial overlap among these entities’ executives, thereby imputing Shopify
`
`(USA) Inc.’s and Shopify Holdings’ jurisdictional contacts with this Court to Shopify, Inc.
`
`Indeed, Shopify (USA)’s CEO and CFO is Amy Shapero—the CFO of Shopify, Inc. The
`
`Secretary of Shopify (USA) is Shopify Inc.’s Chief Legal Officer. Furthermore, Shopify’s job
`
`listings note that the company will “hire you [ ] anywhere” as long as it has an “entity where you
`
`are.” Shopify, therefore, does not differentiate between its entities for any job responsibilities
`
`and thus does substantial business through the American employees it hires through its
`
`subsidiary companies operating as Delaware corporations, including Shopify (USA) Inc. and
`
`Shopify Holdings (USA), Inc.
`
`40.
`
`This Court also has personal jurisdiction over Shopify (USA) Inc., Shopify
`
`Holdings, and Shopify, Inc. because they solicit customers and transact business in Delaware and
`
`throughout the United States, including with Ledger and TaskUs.
`
`IV.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Cryptocurrency Generally
`
`41.
`
`Cryptocurrency is a digital asset designed to work as a medium of exchange or a
`
`store of value. Cryptocurrencies use a variety of cryptographic principles t