I cannot wrap my head around why Ledger didn't take appropriate measures and scrub the consumer's database regularly. It would've been one of the basic things that they could've done and would've limited the attack size significantly.
Ironically, Ledger collects a lot of data of their consumers in order to comply with many different laws and regulations that mainly aimed to protect users privacy. The list of laws they must comply with includes:
https://fra.europa.eu/en/law-reference/act-ndeg78-17-6-january-1978-data-processing-data-files-and-individual-libertieshttps://www.cnil.fr/sites/default/files/typo/document/Act78-17VA.pdfhttps://www.activemind.legal/legislation/gdpr/https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058and others
When you buy a hardware wallet via official Ledger website the following information is collected; it stored for a long time:
- Your name (first name, last name);
- Your e-mail address;
- Your postmail address;
- Your phone number;
- Your physical address and other contact details;
- Your credit card number;
- Your other payment information;
- When you contact customer support, they will record and store their correspondence with you;
- You also may be asked to perform a small
KYC procedure when contact customer support;
- Your IP address;
- Your operating system;
- The type of device you use;
- Date and time you visit the website;
- Browsing Data (information about your visit including the URL clickstream to, through and from our website, products you viewed or searched for, download errors, length of visits to certain pages, page interaction)
Source:
https://shop.ledger.com/pages/privacy-policyIt is also worth to note that users can (should) request manual deletion of their personal data, but this does not guarantee that the data will be deleted immediately.
In short, if you care about your privacy, you'd better avoid shopping through an official store. This is worse than any KYC on any centralized exchange.