Ledger, a leading hardware wallet provider for cryptocurrencies, continues to grapple with the fallout from a significant data breach that occurred on July 14, 2020. The breach was their customers' email addresses and transactional associated data such as purchase items. In response, the company is implementing significant efforts to bolster how it protects user data and increase transparency with users. Matt Johnson is the Chief Information and Security Officer (CISO) at Ledger. Having spent years as a member of the Australian Federal Police, Nathan is at the forefront of both physical and cyber security efforts. Johnson has been on the forefront of dealing with the effects of the breach. Having served in other vital security roles at Ingenico and Visa, he’s fully prepared to ensure history doesn’t repeat itself. His experience and insights are crucial as Ledger, which provides cryptocurrency wallets and infrastructure, seeks to address the unique data security challenges of the rapidly evolving cryptocurrency industry.

The 2020 Data Breach: A Timeline of Events

The first breach in July 2020 affected Ledger’s e-commerce and marketing database. A security researcher found the vulnerability via Ledger’s bounty program and immediately reported the security flaw to the company. This breach exposed more than a million email addresses and other sensitive customer information. It brought to light, and rightly so, huge issues related to potential phishing attacks and other malicious activities.

On December 23, 2020, Shopify notified Ledger of an incident involving unauthorized access to merchant data. This only compounded the already complicated nature of the breach. Individual but continuous actions by rogue members of Shopify’s support team had resulted in direct access to customer transactional records. This included almost 272,000 Ledger customer records which included customer names, addresses, and phone numbers.

Ledger's Response and Security Enhancements

Ledger has since proactively patched the vulnerabilities that led to the data breach. They are right to be committed to protecting their users from future harm. The company launched a dedicated page on December 16, 2020, to provide information about ongoing phishing campaigns and educate users on how to identify and avoid them. This resource provides a one-stop shop for updates and precautions, allowing consumers to be more informed and on guard.

Beyond this new informational landing page, Ledger has taken steps to reduce the volume of customer data retained on their servers and databases. The rideshare company announced that they are implementing stricter data retention policies. Its ultimate aim is to retain data no longer than absolutely necessary for legal and customer service obligations. This initiative slows the attacker’s discovery process by reducing the visibility of sensitive data that attackers can exploit. In so doing, we can mitigate the damage that future breaches will cause.

Ledger is working with partners Corsearch on an international program to detect and take down phishing websites. To date, this effort has effectively removed 216 harmful sites. These sites were intentionally crafted to harvest your credentials and crypto. This forward-looking approach means that Ledger’s customers are kept safe from inadvertently using phishing sites to provide credentials that can be misused.

Matt Johnson's Role and Vision

Under the new leadership of Matt Johnson, Ledger’s new CISO, security is once again Ledger’s top priority. He brings a deep knowledge of and experience in physical and cybersecurity. His experience in leadership positions at major financial institutions makes him better poised than most to lead Ledger’s security efforts. Consider Johnson’s background as a former Australian police officer, which gives him an impressive but rare international perspective. His deep insight into the criminal mind, modus operandi, and investigative prowess translate directly into the cybersecurity world.

Johnson’s time as Group Chief Security Officer at Ingenico and Director of Cybersecurity at Visa honed those talents further. He is now uniquely qualified to take the helm and address the challenges ahead for Ledger. He is committed to fostering a positive security culture throughout the organization. Beyond that, he’s rolling out new and innovative security technologies to strengthen customer data safeguards.

Johnson, too, believes in a multi-layered approach to security that integrates proactive measures with incident response capabilities and continuous monitoring. He is committed to transparency and open communication with Ledger’s customers. He keeps them tightly informed on security enhancements and quickly acts on their concerns.