Exclusive. Ledger fined €750,000 by CNIL
Ask AI TO SUMMARIZE ThIS ARTICLE

Affected by a data leak in 2020, the global digital asset preservation giant has been found responsible for the management of its customer file.

Your 2 free articles this month are up

The research your peers are already leveraging

The Big Whale gives financial institutions the market intelligence, network, and platform to move with confidence in digital assets. Trusted by 150+ firms.

More than four years after a customer file at Ledger, the world leader in crypto-asset storage solutions, was hacked, the CNIL has ruled that the French company had not put in place adequate security measures to protect its private data.

According to our information, confirmed by the CNIL, the public body responsible for protecting online privacy has imposed an administrative fine of €750,000 for breaches of two articles of the General Data Protection Regulation (GDPR). The first concerns the length of time that data must be kept, and the second the way in which this retention was to be ensured.

When questioned, the company confirmed the sanction and reiterated that it was “firmly committed to implementing the strictest data protection and confidentiality measures, which are continually evaluated and improved”.

These proceedings originated in around fifty complaints lodged with the CNIL by several Ledger customers (residents of France and other EU countries), whose private data had found its way into the wild following two hacks.

The first occurred between May and June 2020, when two hackers recovered the file of around 290,000 customers via the Shopify e-commerce platform.

The leak concerned the names, telephone numbers, email addresses, as well as the physical addresses of customers who had ordered a product from Ledger's website. The two people responsible for the hack have been arrested, as The Big Whale revealed in March 2023.

It's important to point out that Ledger's crypto-asset storage technology has never been compromised. “Ledger products have never been exposed, as this incident only concerns the e-commerce business,” the company reaffirmed.

However, the posting of the file on hacker forums led to multiple scam attempts, some of which involved sending fake Ledger Nano devices through the post to steal cryptocurrencies from targeted individuals. "Data breaches expose data subjects to fraud attempts (phishing, identity theft)," commented a source close to the CNIL.

Ledger suffered a second hack in June 2020, this time affecting one million people, attributed to a flaw in an API key. The hacker was not arrested.

Contacted, the company did not immediately respond to our questions.

Format
News
Grégory Raymond

Grégory Raymond is Head of Research and co-founder of The Big Whale. A specialist at the intersection of traditional finance and digital assets, he has been covering the regulatory, institutional and technological developments of the sector since 2017 for an audience of decision-makers: ,banks, asset managers and fintechs. He is also the author of Bitcoin & Cryptos: L'enjeu du siècle (Talent Éditions, 2025), a book built around interviews with key figures from the ecosystem.

See all articles ↗
Subscribe to The Drop
The leading weekly briefing on digital assets for financial institutions: independent analysis, reports, benchmarks and exclusive events, delivered to your inbox.
Read by 30,000 professionals
November 12–13, 2026

The Geneva Summit

The Corporate Gateway: where the future of onchain finance is decided. 300 handpicked decision-makers. One shared mandate.
300
Decision-makers
2 days
Intensive program