WBD290 Audio Transcription
Ledger Hack - What Happened with Pascal Gauthier
Interview date: Tuesday 22nd December
Note: the following is a transcription of my interview with Pascal Gauthier. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.
In this interview, I talk to Ledger CEO, Pascal Gauthier. We discuss the data breach, their disclosure of the hack, how they communicated with those affected and their plans moving forwards.
“I can never repeat enough that we are sorry, but sadly we cannot go back in time and undo it… now we focus on the present and the future.”
— Pascal Gauthier
Interview Transcription
Peter McCormack: Pascal, hey man. Look, thanks for doing this at short notice. I know you're obviously going through a really tricky time at the moment and lots of people are angry and upset, but I think that full transparency's the right way. I messaged you last night, you got back to me straightaway and actually, it was your suggestion, people should know that. So, yeah, thank you for coming on. How are you doing?
Pascal Gauthier: Yes, Peter. Well, first, thanks for having me. I think you're right, it was important for me to be here and with you. I think I want people to understand that we're not shying away from this and we're trying to be as transparent as possible. We're very apologetic for what has happened and it's not something pleasant, or that we don't care about at Ledger. I read some comments saying that we're careless and that we don't care; we actually care a lot.
I'm here with you today because I want people to understand that we're trying to be as transparent as possible, to go as fast as possible, to protect them as much as possible; and, we will always act like this in the future. So, me being here today is to demonstrate, I hope, all of this, so thank you for having me.
Peter McCormack: No problem at all. Okay, so look, we've got a lot to get through, we've got a lot of questions. I might jump around a bit because I put that tweet out and I think I had 300 comments and DMs and emails; but, I've tried to group them together around the main questions.
So, I guess the first area is just to talk about the kind of data you store, because I think this is something people want to know about, because there are people affected, there are people who aren't affected but may be worried about their data, so can you just talk me through what data you currently take from customers who buy a ledger device and what you actually store?
Pascal Gauthier: Sure. Actually, we try to take and store as little as possible, but we are obliged to register and store some of the data that is entrusted with us by our customers. So, typically this data breach is about marketing data, so it's the data that we need to get from you and store because we're going to ship you a device and then we need to stay in contact with you to let you know what's going on in terms of the future of Ledger, the new products, the new features, or typically, in the case of a data breach, you know, the day that the data breach happened, it's very important that we stay in contact with our customers; so, we need a minimum of information.
In this data breach, what's unfortunate is some of the data has leaked beyond email, so personal addresses, your mail address at your home, or your delivery address, it can be either/or, and your telephone number. So, that's what's very sensitive to people right now. They understand probably email more than the rest and they need to understand why the rest has leaked, and I'm here to explain that.
Peter McCormack: Okay. So: name, address, email, phone number; is there any other data? I mean, I'm assuming you store data on what devices people buy and you probably store other data in terms of the data you get from Google Analytics; is that it; is that the data?
Pascal Gauthier: That's really it. And the thing is with people, the main message is, your crypto is safe. So, in no worry, this is data that gives anyone's access to your device or in knowing what you have on your device. People are very afraid now that people can sort of match the two databases and understand how much of crypto you own and match that with the database of where you live.
That's actually not possible, because we don't keep, first of all, data like this on our customers, like we don't know what you own; we don't know how to link that to your device; and so therefore, nobody can link the two together. I think this is really important to understand. So, your crypto is safe and data cannot be packaged together so people know where you live and how much you own.
Peter McCormack: So, do you store any wallet data at all? Do you track the types of wallets being created at all? Do you have aggregate wallet data, or individual wallet data at all?
Pascal Gauthier: No, we don't track wallet data at all; we wouldn't know how to. We have our explorers, so Ledger explorers work in a way that if you use Ledger Live, you will hit on our explorers, so we will know which addresses are used by Ledger wallets, but we don't know addresses linked to specific wallets. So, we just know a bunch of addresses have hit our explorer and we know they're from the Ledger community, but that's pretty much all we know.
You know that because you've been asking me last time I was on, I think, but on top of that now, we have a full node support meaning that you don't actually need our explorers; you can run Ledger Live on your own node. And so, we don't even need to know that information and you can actually use your own node for this.
Peter McCormack: How about, do you store any IP address data, xPub data; do you track any transaction data? Some people have said that you store certain data for tax reasons; is that correct?
Pascal Gauthier: The data that we store for tax reasons are the data that were in the leaked database, so tax reasons are -- the tax authorities will ask us how many devices have we sold, to whom, in which state, etc, which is why we store this data, but nothing to do with your crypto and taxes relating to your crypto; we wouldn't know this and we wouldn't know what to give to the tax authorities because we just don't have anything of the sort to give.
Peter McCormack: Okay. I'm assuming you're GDPR compliant; can people request to have data removed; is there a process in place for that?
Pascal Gauthier: Of course there is a process in place. They can go through our Customer Success team. There is a specific section where you can ask for your data to be removed and it takes around one month for your data to be removed.
Peter McCormack: Okay, that's a good useful starting point. Now, let's go through what happened. So, can you take me back to July, what happened, what you were aware of at the time; and then, we'll probably get into the actions you took?
Pascal Gauthier: Yeah, exactly. So, I think the key here is, what were we aware of at the time? So, when it happened in July, we did everything that we could to understand what actually happened, which is not necessarily easy. People might think that it's just opening a book and you see the code that was stolen, but it's actually very difficult. So, we actually hired a forensic team to let us know what had happened, and we were not sure about many things.
We communicated on the things that we were sure about, because when you have that type of crisis, the worst thing you can do is be unsure about things and try to spread rumours. So, you can only say what you're sure about and what we were sure about at the time was that 1 million+ email addresses had been leaked, and that there was a subset of users, 9,500, where it was not just the email address, but other type of data had been leaked.
So, what we did at the time was to practically communicate to everyone that data had leaked, and so we sent an email to the whole database for a start. Then, we sent a sub-email to that sub-database of 9,500 users to let them know, one by one, specifically what specific data to them had been leaked. And at the time, that's what we knew.
Peter McCormack: So, how do you actually know, because obviously that data was incorrect; we know that now? So, how do you actually know at the time what data has been stolen; how do you actually find that information out?
Pascal Gauthier: Because we could see some logs of what had been extracted and from the logs, we could interpret for sure that the subset of 9,500, more than just the email had been extracted. We didn't have evidence that it was more than 9,500.
By the way, maybe to take a step back, Ledger has no interest, has no upside, to hiding this to our customers. If we had known at the time that it was for sure 270,000, like we know now, we would have said it at the beginning. There is no upside for us withholding that information. It puts our users a bit more at risk; it puts us in a difficult spot today; so, we have no incentive to hide this information from our users.
And I know, because I've seen the comments, a lot of people are calling Ledger a liar, or me, as a CEO, a liar. I am not in this business to lie to my customers. I'm proud of my work ethics and to me, being very transparent to our users is top of our list. Actually, transparency is one of the core values at Ledger so if we had known, we would have said. Now that we know, we're saying it, and so the subset now of close to 270,000 users, they're going to get, in the next 24 hours, a personalised email with exactly the data that was leaked, and they can count on us to do that.
Peter McCormack: Okay. I guess, what people would want to know is, you thought 9,500 had been leaked, it turns out it was about 270,000; were these therefore in different databases; are there different databases you store information on customers on and that's way; or, did you assume just a subset of 9,500 from within a database had been stolen; or, is the total size of that customer data 270,000? I'm trying to understand how this --
Pascal Gauthier: No, it's just about the logs. So, when you do an analysis of what has happened, you look at the logs, and we had partial logs to what was extracted and then, we actually assumed that maybe it was a broader attack, which we actually said in the first communication. So we said, in the communication, we said, "This is what we're sure about", but we also told our users that they should assume that more data was actually stolen and thus, protect themselves in this case. So, that's why we said, because that's what we knew at the time.
Peter McCormack: Do you know how the attack happened, the actual steps they went through? What was the vulnerability or the weakness you had that was exploited?
Pascal Gauthier: For sure. By the way, Peter, all of this has been extensively documented on our website so again, we're not hiding information. And, if you pay close attention to what has been documented on the Ledger website, and I've got a blog post coming out after this just to remind everyone what we've done, where we are, where we're going; so, all of this has been very thoughtfully documented. And, back to your question that I just forgot by saying this; sorry!
Peter McCormack: Yeah, no, I mean I've seen it out there and I will share it all in the show notes so people can access the data that you've shared out. But, what I was asking was, what was the vulnerability or the weakness within the Ledger process that enabled this data to be accessed?
Pascal Gauthier: Yeah, for sure. So again, this has been documented on our website, so I'm just going to repeat what's already out there, but all of these things, it's really a simple mistake and about that, we're very sorry. It's just that when you build an ecommerce stack, you have different pieces of the ecommerce stack that have to speak to each other. So typically, you have the store and then you have your mail client.
So basically, it's a wrong API key that got coded on the mail client to import the database from the store. That got coded in the wrong placement and so therefore, was coded where it shouldn't be coded, and exposed the database to a simple attack. It's as stupid as that.
Peter McCormack: So, some people say the data wasn't encrypted, so what's the deal with that? Was the data not encrypted, or is this to do with how the data moves between systems and the API; help me understand that?
Pascal Gauthier: Yeah, sure. So, like I was saying just before, the data was not encrypted because it was coded in the wrong place of the website, let's say. When you code those API keys, either you put them in secure areas that have been designed for them, or you don't and it's a mistake. Therefore, that's when people say it was not encrypted because, yes, it was misplaced and so therefore, hackers could access it and read the data, which they shouldn't have been able to do. But, it's not as if we intentionally didn't encrypt our data; of course, it was an honest mistake.
Peter McCormack: Yeah, I get that; I mean, of course, nobody would do it on purpose. But, even an honest mistake can have implications to a lot of people, and now people are obviously concerned. I think one question to ask would be, other companies looking at this who may their own vulnerability here that they might not realise; what was the mistake within the process that allowed this to happen? Is it that there were not enough people that were checking the code? What have you changed now, because you can fix the problem, but what stops that happening again in the future?
Pascal Gauthier: Sure. When those things happen, it's usually a cascade of mistakes; the wrong people code the text; no one checked after; it stays up for a long time; and suddenly, you realise that it's happened when it's too late. We actually realised that this has happened through our Bounty program. It's a program where security researchers can tell us where they find a security vulnerability. So actually, it's through our Bounty program that we found out about the leak and that we could stop it.
Then, once you know and you can stop it, then you take every possible measure. So first, you recode the API key so it's not exposed anymore; then you review the entire code, and we've hired several teams actually to do penetration testing on our ecommerce stack to make sure that it was secure and that no other data was leaking anywhere. And what we're doing now and what we'll do in the future is keep on investing in people and technology so we can counterattack and make our users more secure in the future.
Peter McCormack: Okay, so you said this was found through the Bounty program, but does that mean somebody within the Bounty program was malicious with the data?
Pascal Gauthier: No, it was actually an honest researcher who -- when you do those things, you get the white hats and the black hats. The black hats are the attackers who are trying to steal the money and the white hats are those that are trying to defend you. So typically, the researcher that declared the vulnerability is a white hat. They do this for a living and they get a reward through the Bounty program and that's what happened at the time.
Peter McCormack: But, if they're a white hat hacker, how did the data get leaked?
Pascal Gauthier: Because we had a black hat hacker that knew about the vulnerability before and exploited the vulnerability to extract the database. It's just that the white hat hacker understood the vulnerability after it was exploited by the black hats.
Peter McCormack: Right, okay, I see, so chain of events. Okay, so you've said that you've communicated with the 9,500. Have you communicated with everybody who has had information leaked, and have you also communicated things to people who haven't had information leaked to let them know that you've been through this process, what's actually happened?
Pascal Gauthier: Sure. I mean, everyone that had information leaked was contacted and we broadly communicated on our website, on Ledger Live, on our Twitter accounts, on Reddit; I mean, everywhere we could, on what happened. So everyone, whether they are prospective customers, new customers; I mean really, everyone knows about what has happened. And again, there is no reason why Ledger should shy away from this. We believe that transparency is key in these matters.
If you take a look at our website and the dates of publications, you will see that there is actually a lot of literature that has been published; thousands of tickets that have been answered to; hundreds of websites that we've been taking down, because the data breach is one thing but then, at the same time happened a lot of phishing attacks against our users probably using the database that was breached at the time. So, we've been fighting those phishing attacks for months now.
I think also, this is why users are really annoyed, because they've been attacked by those scammers for months and we've been trying to fight them off. We've actually done a lot ourselves. We've asked our community to help to try to take those websites down as quickly as possible, so less people are hacked; but, phishing attacks are very common in our industry and it's a threat that we need to all work on together to protect each other. So, we are doing our fair share and our users are also helping.
Peter McCormack: What have you learned through the process specifically in terms of how to deal with it, and are there things you think you've got wrong you could have done better; anything to do with your communications?
Pascal Gauthier: You know, I think we've learned a lot. Crisis management is definitely an interesting one and so, we've learned a lot and we've taken many measures, and one of them was to hire a very experienced Chief Information Security Officer, who is going to join the company early January, and we really hired someone who is top notch in his field, because we need to double down on security.
I think our mistake probably at Ledger is to make sure that our technology is very secure and on that, I think we have the best product in the market right now. Your Nano, paired with your Ledger Live, is the most secure solution you can find in the market, and we are very proud of that.
Peter McCormack: Is that true; is that really true? Is it more secure than a Coldcard?
Pascal Gauthier: I think it is. I mean, there are two things to be taken into consideration: security and ease of use. So, we should take those two together. But I would say to your question directly, I would say, yes, because we will publish several things in the future that keep on demonstrating Ledger security dominance in the field. But, if you take security and ease of use, yes, I would feel that we have the best product in the market. But, my point here is --
Peter McCormack: Sorry, Pascal, that's a different point; best product in the market as opposed to securest. I would agree that the Ledger is, in terms of UX, the best. I've used yours, Trezor and Coldcard; yours is without doubt the easiest to use. I would challenge whether it's the most secure. I would probably say that the Coldcard is the most secure. I mean, we don't have to debate that now, but I think it's important that I at least share my opinion on that, because I've looked at all the products.
Pascal Gauthier: So, I will send you an attack that was published by the Donjon on the Coldcard Mk2 wallet security and you will see that there could be some security issues there. But anyway, the point is --
Peter McCormack: Is that the laser attack?
Pascal Gauthier: Yes, it's the laser attack. But anyway, I'm not trying to make that point. I'm trying to say that we are big on security and we really focus on the security of our product and we might have overlooked the security of our processes, our ecommerce stack, which is why we find ourselves in this situation.
So, to your question, "What have you learned from this crisis?", I think that we learned that we need to do better in terms of overall security for the company for our users; that's my point here. And we can turn to the debate of who's the most secure another day, I think.
Peter McCormack: Okay, yeah, we'll save that for another day. So, in terms of people who have had their data leaked, this again is a reminder for me how many people aren't competent technically. So, I like to make a show which covers the basics for people and some of the DMs I've received, some of the emails from people who are concerned, are asking very basic questions. Again, at some point, I should try and share these so people understand how certain customers may think.
But, we should answer some questions specifically for them right now. One question that's come up a few times in my DMs is that people are actually scared to use their Ledger right now. They said, "If I plug my Ledger in the 'use Ledger Live' now, am I safe?"
Pascal Gauthier: You're safe 100%. There are no problems, no worries there, so you can use it; you should use it.
Peter McCormack: So, what are the things that people should not do? If someone's listening to this right now, they're aware their data's been taken, what are the things they should look out for, the risks they now face?
Pascal Gauthier: Same risks as before actually. Phishing attacks are all about making you share your secret and your 24 words. So, the one thing that we keep on saying, keep on repeating, is never share your 24 words with anyone. Ledger will never ask you your 24 words. No one should ever ask you your 24 words; your 24 words are just for you. And, the only safe places to enter your 24 words are directly on your Nano S or your Nano X; that's it. Outside of this, never share your 24 words. If you follow that simple rule; you cannot be hacked.
Peter McCormack: Are there any things that people should do? Are you making any recommendations with regard to people changing phone numbers, email addresses?
Pascal Gauthier: There are a bunch of things that people should do, but let me address one point that is made also in the comments on Twitter. So, the question is, "Now, if people have my home address, can they attack me; and what are Ledger going to do about this?"
So first of all, about this whole incident, I can never repeat enough that we're sorry, but sadly we cannot go back in time and undo it. So, once the database is out, it's out. So now, we focus on the present and the future; what can we do now and what can we do in the future to improve the situation?
So, when it comes to physical threats and physical attacks, I think it's a fair concern from the users and I understand why our users, our customers, are feeling concerned with this. But I would say that, number one, the Ledger device has been designed to protect you from physical threats; so, a few things that you can with the device itself, and I will document this in my blog post that will come out later today.
The first thing is, you should know that if you type three times the wrong PIN code, it will sort of wipe out your device and bring it back to the manufacturer setup. So, in case of a physical attack, the only thing that you have to do is type three times the wrong PIN code and it will wipe out the device, and so then impossible to steal the funds of course.
Of course, that is true, if you don't keep the 24 words with you in the same location, so we always give the guidance to the users that they should not keep the device and the 24 words together, and they should put 24 words in a safe location that is not home. They should put it at the bank; they should split it in two; put it somewhere. But, the 24 words is a real problem for the industry overall and the way that you keep them is also a guarantee of your security. Recommendation 1, recommendation 2.
Recommendation 3, there is actually a protocol plausible deniability that you can do with your device where you can have two PIN codes actually on the same device: one PIN code to access your real funds and another PIN code to access a dummy account. So, plausible deniability means if the wrong person asks you to open your device, you can open it with a PIN code that accesses the wrong account. So, those three things taken together is a set of protections against physical attack.
Now, the last thing I want to say about physical attack is not because I know that you bought one day a Ledger device that I know how much is on it, and so you can't have those two databases together because they just don't exist. So, I know you've got a Ledger, but I don't know if you've got $100 or $10 million on it. So therefore, for me to come to your place, I would need to know a bit more than just knowing that you own a Ledger.
Peter McCormack: True. That doesn't mean that people won't. So, I think there's some certain amount of other work that can be done to try and understand. Like, there may be people with certain personalities within the industry; they may be able to do other types of lookup to try to get an idea of maybe how long they've been involved in Bitcoin, or what kind of salary they earn, and kind of make some assumptions and use that as enough information to go and threaten somebody.
It's funny -- well, it's not funny, but I was talking to somebody about this beforehand. I raised this, but I don't think there's anything you can do about it. You can't put in a program to prevent this; you can't rehouse everybody; it doesn't logically make sense to rehouse everybody; but, there is that ongoing threat now that people have, should someone start to try and engineer the data they have to make some assumptions. It's not a zero risk, right?
Pascal Gauthier: No, it's not a zero risk. But, what's the risk for you, Peter? I mean, people know you've got crypto, plus you're a public figure in the space, you know?
Peter McCormack: Yeah, but I've planned for that. So, one of the things I've done is, again, I was talking to somebody about this. I am aware I'm a public figure and I own Bitcoin; people know I own Bitcoin. I'm not rich Bitcoin, but I have some, right. So, I've planned for this in that there is no Bitcoin ever stored in my house; it just isn't. I'm happy to be quite public about what I do for my security, because it's such a pain.
It's over a 24-hour operation for me to move Bitcoin, but I do that on purpose, because I have to make it pointless for someone to attack me. Other people might not be thinking that and I'm just wondering, I don't even know the answer. I guess it's something I'd ask Jameson Lopp, but I wonder if other people --
Pascal Gauthier: It is the answer, Peter. I think once you are taking care of your own security, you need to think what you're doing is actually what everyone should do in a sense that, Ledger will only solve part of the equation anyway. You, as the user, will always be a link into the security equation. So, if you don't protect yourself against threats and if you don't think about those threats, then those threats become real.
So, like you said, there is no -- once the genie is out of the bottle, there is no going back. But, I would advise everyone to think about their physical security; how they're handling it today. And, you should know also that, you know this, there have been many other data breaches in this industry; Coinbase, Binance, the biggest one and long before us. And, attackers actually focus a lot on online and online attacks. Why; because it's cheap.
A physical attack is actually more expensive. No one is going to take a plane to go and attack someone specifically, unless it's a bigger attack and we know specifically that it's you, Peter, and you have so many Bitcoin because you've expressed it freely on the web, etc. But, the reality of attacks is what works, and what attackers are doing is a lot of cheap attacks on as many people as possible to make it profitable for them.
So, what's happening right now is more of these attacks, trying to steal the 24 words and trying for you to enter them into a dummy website; that's what we're seeing today. Granted, there is no zero risk that people would come to you; I mean, that would be foolish to say otherwise. But I think that in general anyway, if you keep value at home, or if you keep value with you, you need to think about physical threats in general and put in place the type of things that you did put in place for yourself, Peter.
Peter McCormack: Yeah. Well, the point is, would you keep $20,000, $30,000, $50,000, $100,000 in your house? No, that would be crazy; you'd keep it in the bank. And, you have to consider your security is your own personal bank. I mean, I recommend, ever since I've been with Casa, I would recommend everybody who has a serious amount of Bitcoin to consider setting themselves up with that, because it does protect you in so many ways.
Pascal Gauthier: Just on this, you're right, because you asked me the question offline, but multisig is definitely -- this is why I'm saying today, like in the present. What I'm saying for tomorrow, and I already announced it; we did a Ledger decoded event where we announced the future of Ledger and the products that we will take to market in 2021. Multisig is something that we're considering, but actually we have many products coming out in 2021 that are here specifically to solve the situation that we're in today and the situation that you're in today.
How do you keep $100,000 at home, you know, and still be safe? And so, we will answer those questions in 2021 by bringing clever products to the market. That includes multisig, but other things too.
Peter McCormack: Are you updating your own products at all on reflection of this? So, for example, one developer I spoke to said multisig on a Ledger is a bit of a pain compared to other devices. Are you reconsidering your product design at all?
And also, adding to that, are you also considering any change to how you sell devices and what data you will store, or will you continue to store the same data? Sorry, that's two questions there!
Pascal Gauthier: Right. Let me start by the latest one. What we're considering right now, there was a question about our Data Protection Officer. Someone under your tweet said, "They just fired their Data Protection Officer and they're recruiting a new one". So, first of all, we didn't fire our Data Protection Officer; she just found a great job, a great opportunity and she went elsewhere, and we thank her for the work that she's done so far at Ledger and we hope that her next venture will be amazing for her.
And, yes, we recruited for a new Data Protection Officer, because data protection is actually very important in the industry at the moment. Again, data hacks are at an all-time high and we need the best possible protection. What we are thinking of doing for the future is trying to minimise the data; we keep on minimising the data that we're taking from users, at the detriment of business, because it's always a balance between the data that you gather, the marketing that you can do, and the business that you can do. So, the less data you take, the less business you do.
So, it's a delicate balance to find, because we need to do business in order to invest into security. A security company without money is a bad security company. So, we need to maximise business in a way so we can reinvest in people, in technology, in everything to make our users secure, and find the right balance there.
But, I was discussing this with Ian Rogers earlier on today and he says, typically something in his radar is, how can we find that delicate balance and ask as minimum information as possible from our users, while maintaining good business. So, that's in our radar.
Peter McCormack: Can you delete, say, the address data, the phone number data, once the order's been made; do you have to hold onto that?
Pascal Gauthier: You have to hold on to some for almost, like, ten years for tax purposes, etc. But, there are different ways that you can keep it. You don't need to keep it online; you can keep it offline. And to be honest, we don't need it. Once we ship you the product, I don't really care to know where you live; we don't need the data. So again, the data breach was really a mistake and what we're going to do in the future is going to be very different from what we've done in the past.
Everything is moving right now and we will deliver news to our customers as soon as we have them, to let them know how we're going to deal with data in the future. But, it's a complex process because it involves regulation and people who treat this by saying, "Oh, we just wipe everything after three months", that's all good and well, but technically that's actually not quite possible in the regulation that we live in.
Regulation about data is very strict and so, we're trying to protect users but in order to protect them, we need to keep some data; so, there is no straight answer. People are asking for black and white answers on the matter, which I understand, and from a consumer standpoint should be black and white; but people should also understand that these matters are increasingly complex, mostly because of regulation.
Peter McCormack: Okay, all right. Just a bit of a sidestep now. How are spirits within the company? This is obviously probably one of the -- you know, you've had a long run of success; you are the number one seller of hardware wallets; you've done very well; this must be a real kick in the teeth within the company. How are spirits within the company?
Pascal Gauthier: The spirit is good; we are serious people; we try to do our best. This is definitely not a pleasant moment for the company, but everyone is dedicated to making this situation better. And, we want to thrive from the crisis and not collapse because of it. So, what it's going to do to us is going to enthuse us to do better for the future, and we're doing many things right now to just make things better from a product standpoint; from a product technology process; but, we're also trying to find the scammers.
We have law enforcement agencies that are well aware of the situation, and they are moving Earth and Heaven to find them, and we are spending a lot of time and resources in order to properly solve the situation. So, all this is going to do is to make our company much stronger, much better, and we are very dedicated to this right now.
Peter McCormack: How are you going to restore confidence with the public, because you've seen the replies? You're having one of those awful days where everyone's talking about you on Twitter; it's actually been going on obviously since July, a lot of questions. How do you rebuild confidence?
Pascal Gauthier: Well, first, reminding everyone that your funds are safe and that you should never share your 24 words; and then, that we'll be relentless in making this better. Once someone has lost confidence in you, I'm not going to say anything magical right now, so suddenly they're going to think, "Oh, wow, I trust these guys again", so I think it's very hard to earn trust. What we'll do is to do the best that we can do today and in the coming days, and in the future, just to build a better company, a better product, better features, especially next year, coming to solve these types of situations.
When people will look back, those people that lose trust in us, they'll look back in six months and they'll say, "Ledger has done well, so maybe I trust them again", and maybe they won't. In French, we say sometimes, "C'est la vie", and we fucked up and we're sorry, but we're going to do better and we're going to earn your trust back.
Peter McCormack: Okay. I mean, I've got two suggestions of things you could and should do. I mean, you've obviously been through the comments in the post I put out, and there's a lot I didn't get to include. A lot of people have been asking, are you going to compensate people? I'm going to knock that one on the head myself. I just don't think that's possible. If it was $100 for everyone who had an email stolen; that's $100 million dollars; that would bankrupt the business.
There's no way I think you're going to build in a scalable compensation programme. I don't know if you've plans for any but just to me, if I was sat in your position, I don't think it is. But I do think there are two things you could do.
I think you could invest in doing a tutorial, educational series, perhaps working with someone like Lopp from Casa, explaining the best security that people can do, the things they can look at. I don't know if you already have something like that, but I think that would be good. I also think one thing you could do is make a donation towards Bitcoin open-source dev, especially those working on privacy and security. I think that would be a good gesture back. I don't know what you feel about either of those ideas?
Pascal Gauthier: Well first, I believe that those two ideas are great, but I'll tell you what we're going to do. First, your comment about bankrupting the company if we were to reimburse $100 for every email that we've lost is accurate. If we were to do that, then we're out of business and we might as well close the company tomorrow, which we won't do. What we will do though is to keep on investing a lot into security processes in the spirit of strengthening the product, the business and the community for the future.
This is only the beginning of crypto and this is an unfortunate incident at the very beginning of crypto. Imagine the same thing happening in ten years; it would be a much bigger problem. And so, again, we're very sorry and this is an unfortunate event. It's sort of a stepping stone to do much better and to invest a lot into doing better. So, that's what we're going to do.
And, in terms of where the investment will go, we'll do it very thoughtfully, I think, because there's no point in rushing into finding short-term solutions to make everyone feel better. But thoughtfully, we need to understand how to better invest our money. And so, the two ideas that you gave are very good ones, and we'll consider them, of course, as we do this. There is really a lot of content on the website, so what we're trying to do right now is to repackage it and re-present it to our users so they can actually read it, which sometimes they don't. And so, we will push that back to them as much as possible.
And finally, about building a foundation or donation for security researchers, sure; that's a great idea. We'll take that in consideration. But I'll remind everyone also that we've got a Bounty program that is active today, so if you find anything that is relevant to Ledger security, whether it's process, tools, technology, please report it to the Bounty program, and Bounty program does what it says, meaning we pay bounty to researchers.
Peter McCormack: All right, good. I will follow up with you on supporting open-source development. The only reason being, and the reason I'm going to push it is because, for Bitcoin to succeed, we rely on developers, we rely on people funding and supporting them and I always think the biggest companies in the industry, or making the most money, have a part to play. But, next time we chat, I'll twist your arm and then see if you've got anywhere with that at all.
Some people probably won't like the fact that I'm going to ask this question, but I'm going to ask it anyway, because personally I think we need a competitive market for hardware devices. I think you all take snipes at each other, but I think you all push each other to be better and work harder and I think the competition is helpful. But, is Ledger a victim and are we missing anything there at all; or, is that not something we should focus on?
I'm only raising it because somebody put in on Twitter earlier. They mentioned that you are a victim too and this is a complex problem that, yes, the mistake was simple, but there are so many data hacks that happen in so many different industries all across the board, it's almost zero chance that you could actually be 100% secure.
Pascal Gauthier: Yeah, I mean, there's truth in that. I think overall, we are victims in a sense that Ledger and our community, we are a victim of our success. And so, of course, it becomes a prime target for hackers, because they're going to try to hack the biggest and where there is the most value to be hacked.
So, I think sometimes when I read the comments, people are furious about Ledger, and rightfully so and again, we're very sorry. But sometimes, I think if we could take all that anger and direct it at the actual scammers, because the problem is we're all being victims of people who are trying to steal your Bitcoins, and we should fight the scammers. We called our users -- we have this hashtag #StopTheScammers to really work as one to find the scammers, publish the website, make sure that we take down the website as quickly as possible. And I actually think there is something to be done there.
So, in your idea of having a donation for researchers, we're thinking more of a foundation for these types of issues, to either fund teams that could combat these types of issues and/or a StopTheScammer Foundation where, whether it's Ledger, Kraken, Coinbase, Binance, we all have the same exact problem: data breaches and then, trying to scam the users as much as possible as many times as possible until they reveal their private keys, or until they send you their precious Bitcoin. So, I think this is an industry problem and I think together, we could do better for sure in the future.
Peter McCormack: Okay, two final questions. Penultimate question: so, I'm aware of one person who was phished and they lost $50,000 in Bitcoin. I'm sure you're aware of others that have happened. If somebody's data was stolen from your data store and they were phished because of that and they lose their Bitcoin, do you believe Ledger is liable for that or not?
Pascal Gauthier: It's a very difficult question. So, I believe not, but these are very complex legal matters and what I would suggest, for any users, is to declare the scam and the loss to the competent local legal authorities, to the police, and follow the instructions from there. I think if someone steals something from you, you just contact the competent authorities locally and then, follow the process, you know.
Peter McCormack: Yeah. I guess most people feel like, "Hmm, I'm not going to see this back, I'm not going to see this again".
Pascal Gauthier: Well actually, that's not completely true, because we're actually trying to help as much as we can our users. When they reach out to us and they suffer the loss of coins, we're actually trying to get them towards local authorities, complaining about the hack, and someone stealing from them, recommending them to Chainalysis to follow the coins and probably have the possibility of an exchange freezing the coins and returning them.
So, there are things that are becoming possible. It comes at certainly a cost and for the user to actually do it very proactively, but I don't think users should do nothing, and they can always turn to us for advice and guidance on this. Again, we're not shying away from anything and I think users should just do what they think is best for them.
Peter McCormack: Okay, last question. Are you expecting to face any penalties because of the breach, through the GDPR legislation?
Pascal Gauthier: Probably not. I mean, we'll see in the future. What we've done with GDPR is to always stay compliant. We declared the data breach as soon as we knew to the competent authorities and we followed the instructions by the book. We will be updating the competent authorities again on this new finding that dates from yesterday; and I think again, we just do what we think is best for Ledger, for our users, and reporting to authorities. And because we do everything by the playbook, we think we're on the safe side; but, time will tell.
Peter McCormack: Yeah. Is there anything I've not asked you that you wish I had; any other comments that you wanted to add?
Pascal Gauthier: I think we covered a lot today and I think, you know, I really like all the questions that I've seen under your Twitter. I mean, some are a little abrupt, but it's life, and I understand why users are really upset and they have to know that we are upset too and we want to do better, and we are very sorry for what have happened. We can never say enough that we're sorry. There's actually a meme on Pascal Gauthier saying he's sorry; I don't know if you've seen it?!
Peter McCormack: No, I haven't!
Pascal Gauthier: Yeah, well I'll send it to you; it's pretty funny. And of course, it's a joke, and we take this very seriously. But, maybe the last message is that Ledger is very sorry, I am very sorry, as Ledger CEO, and we're doing everything that we can to make the situation better.
Peter McCormack: Well, look, Ledger was the first hardware wallet I've got. I've consistently used one. I've always been a fan of the company. I was disappointed to see this. I will continue to use a Ledger device. I believe the industry needs the competition between yourself, Trezor, Coldcard and any new entrants. I will hold you to account, I will observe what you do over the next few months and perhaps, in three, four, five months, we'll get together again; we'll talk about where you've got with everything; and keep talking.
But, look, I appreciate you coming on. I didn't give you any questions in advance; you've allowed me to ask every question I wanted. There's probably stuff I should have asked that I haven't. People are probably listening thinking they wished I'd asked different questions but, you know, we've covered a lot. You were fully open with me and so I appreciate that. I wish you and your team good luck in fixing these things.
Pascal Gauthier: Thank you. And, Peter, maybe one last word from me. I reached out to you first because I knew you would be honest and ask me all the questions that you thought would be fair to your users, which is why I reached out to your first; not because it was going to be easy, but because it was going to be true. So again, thank you for your questions and if in four months we haven't done what I just said we will do, then I'm also sure that you'll let me know, but I hope I'll be back with good news.
Peter McCormack: Okay, great. Well, listen, good to see you again. Have a good Christmas and, yeah, we'll catch up in a few months.
Pascal Gauthier: All right, Peter, thank you so much. Merry Christmas to you too.
