Coinbase has been aware since January of a data breach involving customer information leaked by an employee of its outsourcing firm, TaskUs, months before the incident was publicly disclosed in May.
The breach originated when a female employee at TaskUs' Indore office in India was caught photographing sensitive work data on her personal phone. The employee, along with a suspected accomplice, allegedly sold Coinbase customer data, affecting nearly 70,000 users. Stolen information included names, phone numbers, addresses, identification documents, account balances, transaction histories, and internal company data.
Following the incident, Coinbase terminated the involved personnel and severed ties with other overseas agents implicated, as well as tightening internal controls. The exchange also rejected a $20 million ransom demand and instead announced a bounty for information leading to those responsible.
TaskUs reportedly fired over 200 employees in connection with the breach, which has prompted at least six class-action lawsuits against Coinbase and could lead to financial damages estimated between $180 million and $400 million.
This event highlights ongoing concerns over security risks with third-party service providers and outsourcing firms in the crypto sector. Coinbase’s failure to disclose the breach promptly has also drawn regulatory and legal scrutiny.