Shopify has been named in a putative class action, with a number of named plaintiffs alleging that the e-commerce hosting platform, along with content moderation provider TaskUs, failed to exercise “reasonable care in securing and safeguarding consumer information in connection with a massive 2020 data breach impacting Ledger SAS hardware wallets,” which are used to store individuals’ cryptocurrency holdings and other digital tokens. The sweeping breach was caused by “rogue members” of Shopify’s support team, “including employees of TaskUs, Inc.,” the plaintiffs assert, and ultimately, resulted in “the unauthorized public release of approximately 272,000 pieces of detailed personally identifiable information.”
In the complaint that they filed with a federal court in Delaware on April 1, Plaintiffs Gregory Forsberg, Christopher Gunter, Scott Sipprell, and Samuel Kissinger allege that Shopify, which hosts Ledger’s e-commerce site, and TaskUs “repeatedly and profoundly failed to protect [Ledger] customers’ identities,” resulting in the [their] personally identifiable information – from full names and telephone numbers to email and post addresses – being accessed in the July 2020 breach and subsequently shared across the dark web.
(Ledger – which recently partnered with LVMH-owned brands Fendi and Hublot for luxury crypto hardware collabs – is not named as a defendant in the lawsuit, although it and Shopify were both named as defendants in a previously-filed class action related to the breach. That case, which was lodged in the Northern District of California, was dismissed on personal jurisdiction grounds.)
Aside from making such information available to “every hacker who wanted access to [it],” the plaintiffs assert that such alleged failures by Shopify and TaskUs to safeguard consumers’ information is particularly problematic because it means that they are “no longer in possession of a secure cryptocurrency portfolio.” Specifically, Forsberg and the other named plaintiffs, who had their personal information stolen after hackers accessed Shopify’s list of Ledger customers, claim that while “cryptocurrency transactions are publicly visible through a transaction’s underlying blockchain,” they “cannot be traced back to their particular owner without more information.”
“When hackers know the identity of a cryptocurrency owner and know what platform that consumer is storing their crypto-assets on, the hacker can work backwards to create a targeted attack aimed at luring hardware wallet owners into mounting their hardware device to a computer and entering their passphrase, allowing unfettered access and transfer authority over their crypto-assets,” the plaintiffs assert. And that is precisely what happened here, they claim, stating that in the wake of the Shopify breach, hackers engaged in “targeted attacks on thousands of customers’ crypto-assets and causing [the plaintiffs and proposed class] members to receive far less security than they thought they had purchased with their Ledger Wallets.”
The plaintiffs allege that Shopify and TaskUs’s “misconduct,” including but not limited to “their failure to (a) prevent the data breach and (b) take action in response thereto for approximately six months – if not longer – has made [them and other class members] targets.” Such alleged misconduct was only made worse, according to the plaintiffs, by Shopify and TaskUs’s “deficient response,” including their “failure to notify every affected customer or admit to the full scope of the data breach,” which resulted in “many Ledger customers falling victim to hackers’ phishing emails and resulting fraud.”
With the foregoing in mind, the named plaintiffs set out claims of negligence, unjust enrichment, and violations of various states’ consumer fraud and deceptive and unfair trade practices laws, and contend that they have suffered damages as a result of the defendants’ negligence, including “the fraudulent removal of cryptocurrency from [their] portfolios due to sophisticated scam attacks on [their] Ledger wallets.” Beyond that, they argue that they “remain at a significant risk of additional attacks now that [their] personally identifiable information has been leaked online.” In total, they claim that damages in this case exceed $5 million and that the number of class members exceeds 100 people.
Reflecting on the potential damages at play in such a case, Covington & Burling lawyers Samuel Greeley, Ashley Simonsen, Mike Nonaka, and Kathryn Cahoy state that “due to the nature of cryptocurrency valuations, the individual damages claims in these cases have the potential to far exceed the more nominal individual amounts in a typical data breach case where the primary payout is identity theft protection services.” However, these cases are hardly expected to be straightforward matters given that “cryptocurrency transactions often are non-reversible, [and] so, unlike thefts from traditional online banking services, it may be difficult or impossible to claw back stolen crypto funds” – which is presumably why more easily-identifiable and accountable parties like Shopify and co. are named as defendants in these largely negligence-centric lawsuits.
Other cases have been filed recently involving similar theories relating to data breaches that allegedly resulted in the theft of cryptocurrency, including in the Northern and Central Districts of California, the Covington & Burling lawyers state, which they say, “suggests that this area will continue to face increasing litigation activity.” In addition to suits centering on the theft of cryptocurrencies, the number of suits being filed against marketplaces like OpenSea in connection with the theft of non-fungible tokens (“NFTs”) from users’ crypto wallets in connection with phishing attacks that were allegedly caused by platform owners’ negligence is also growing.
“As cryptocurrency storage and related transactions,” as well as enduring purchases of digital tokens, such as NFTs, “increasingly feature in companies’ online presence,” Greeley, Simonsen, Nonaka, and Cahoy claim that “there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space.”
The case is Forsberg v. Shopify, Inc., 1:22-cv-00436 (D. Del.).