Shopify and Leger Facing Second Class Action Over 2020 Data Breach

Written by Joseph Stepina, Esq.

Canadian e-commerce company, Shopify Inc., faces a new class action lawsuit over a 2020 data breach in which hackers were able to access personally identifiable information of over 270,000 individuals. Shopify contracted with Leger, who sells SAS cryptocurrency hardware wallets, to store its customers’ personal information. In addition, the hackers were able to access personal information of over one million additional individuals who subscribed to Leger’s newsletter.

Leger markets its cryptocurrency hardware wallets as a safe option for consumers because its wallets generate and store customers’ private keys within the device itself without connecting to a network. Leger boasts online that its hardware wallet system “means your keys will never – ever – be exposed to online threats such as hacks and malware, and you don’t need to entrust them to another entity.”

However, hackers were able to steal millions of dollars of cryptocurrency from Leger users. Cryptocurrency blockchain transactions are publicly visible, but the identities of the parties involved in the transaction cannot be traced without the personal information of a party. When hackers have the identity of a person and know on which platform the person stores their cryptocurrency assets, hackers can target the individual through phishing attacks or threats, ultimately compelling the person to make untraceable, irreversible transfers of cryptocurrency into the hackers’ accounts.

Hackers were able to obtain the names, email addresses, physical addresses, phone numbers and other customer information of Leger customers from Shopify and TaskUs, a company that provided customer support services for Shopify. Between June and December of 2020, the hackers published the personal information they obtained on the internet. Initially, Leger and Shopify denied a breach occurred at all. Once the customer information was published online, Ledger alleged that less than 10,000 customers were affected. It finally retracted these false allegations once additional data was published.

The class action litigation is pending in this United States District Court for the District of Delaware. The plaintiffs assert five (5) claims against the defendants including allegations of negligence, unjust enrichment, violations of Florida’s Deceptive and Unfair Trade Practices Act, violations of North Carolina Unfair and Deceptive Trade Practices Act, violations of the Arizona Consumer Fraud Act, and violations of the Kentucky Consumer Protection Act. They seek injunctive relief requiring Shopify and TaskUs to implement security safeguards to protect individuals’ personal information; compensatory, direct, statutory and punitive damages; and attorney’s fees and costs.

A prior class action was filed in California against Shopify and Leger for the data breach alleging the two “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the breach. The California class action was dismissed for lack of jurisdiction.

Leave a comment