Cybersecurity Alert: Lost Passwords Could Lead to $190 Million Gone Forever
By Hanne-Lore M. Gambrell & Craig S. Horbus on February 15, 2019
Customers of Canadian crypto exchange company, QuadrigaCX are panicking after the death of QuadrigaCX’s CEO, Gerald Cotton, in December 2018. When Cotton died, he took to his grave the password to access all of the company’s customers’ digital currency, which is currently being held in cold storage.
Cold storage in the context of crypto currency refers to keeping a reserve of crypto currency offline. This is often a necessary security precaution, especially dealing with large amounts of crypto currency. For example, a crypto currency exchange typically offers an instant withdrawal feature, and might be a steward over hundreds of thousands of Bitcoin. To minimize the possibility that an intruder could steal the entire reserve in a security breach, the operator of the website, in this case, QuadrigaCX, follows a best practice by keeping the majority of the reserve in cold storage, or in other words, not present on the web server or any other computer. The only amount kept on the server is the amount needed to cover anticipated withdrawals. While cold storage mitigates the risk of a security breach, access to the coins often requires passwords and encrypted codes for the devices that are holding the crypto currency.
Cotten’s widow, Jennifer Robertson, in an affidavit, stated that “it appears a significant portion of [QuadrigaCX’s] the crypto currency was in fact held in cold storage” and that “Cotten was the sole holder of access to the coins, which included around 26,000 Bitcoin.” Mrs. Robertson stated “The laptop computer from which Gerry carried out the Companies’ business is encrypted and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere.”
According to Mrs. Robertson’s affidavit, QuadrigaCX also holds around 11,000 Bitcoin Cash, 11,000 Bitcoin Cash SV, 35,000 Bitcoin Gold, close to 200,000 Litecoin, and more than 400,000 Ether, which is equivalent to approximately $190 million.
QuadrigaCX posted on its website, “For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant crypto currency reserves held in cold wallets. Unfortunately, these efforts have not been successful. Further updates will be issued after the hearing.”
The company is reportedly hoping to schedule a hearing to confirm a stay of proceedings in an attempt to pre-empt the filing of lawsuits.
In light of this interesting story, while the attorneys at Brouse McDowell would like to stress how important it is for our clients to maintain best practices when it comes to data privacy and cybersecurity; we also suggest implementing a succession plan so that scenarios like this are avoided. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.