- Coinbase had reported this breach to its community in May
- The exchange had said it could be facing reimbursements of up to $400 million
- The new lawsuit has called for a jury trial in the case
The data breach that Coinbase had reported to its community earlier this year continues to unfold with amounting egal proceedings. In a fresh development, a class action law firm Greenbaum Olbrantz has filed a lawsuit against the India-based outsourcing firm TaskUs, an employee of which was identified to have been linked to the data breach attack. It claims that sensitive user data including users’ bank account and social security numbers have been breached as part of this attack.
Key highlights form the lawsuit
The New York-based law firm, Greenbaum Olbrantz has called for a jury trial on behalf of a group of plaintiffs who believe they were impacted by the breach.
According to the lawsuit, malicious actors started bribing employees of TaskUs in 2024, seeking the sensitive information of the exchange’s users. It alleges that the business processing outsourcing (BPO) company working for Coinbase failed to secure the sensitive user data — causing substantial financial losses to the impacted Coinbase users.
Newsletter
Get weekly updates on the newest crypto stories, case studies and tips right in your mailbox.
Details including names, addresses, phone numbers, email addresses, social security numbers, bank account numbers, bank account identifiers, government-ID images, and account data are among details that were handed over to the attackers by the involved TaskUs employees, the lawsuit noted.
Citing sources familiar with the matter, the lawsuit said that the criminals were seeking Coinbase user info so that they could steal their crypto assets.
“As early as September 2024, TaskUs employee Ashita Mishra joined the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals. On some days, Ms. Mishra took as many as 200 pictures of Coinbase user data. By the time TaskUs discovered the breach in early January 2025, TaskUs determined that Ms. Mishra’s phone contained data belonging to more than 10,000 Coinbase customers,” the filing noted.
It also highlighted that Mishra was part of a syndicate of TaskUs employees who were sending images of the data of Coinbase employees for $200 per picture.
“TaskUs could not identify all of the individuals involved As a result, TaskUs and its
investigators in the human resources department determined to terminate all employees at TaskUs’ Indore, India facility and its Guruguram facility, which both provided services to Coinbase,” the filing added.
The U.S. District Court for the Southern District of New York will now set a date to take the proceedings further. The lawsuit claims that the plaintiffs have collectively lost millions worth of crypto assets in this incident, with some having lost their retirement funds.
Coinbase’s position
In May, Coinbase CEO Brian Armstrong informed the exchange’s community that the platform had undergone a data breach incident. At the time, Coinbase had submitted its 8-K filing with the SEC wherein it estimated that it could be facing upto $400 million in reimbursements.
At the time, Armstrong had also said that the attackers had asked for $20 million from the exchange as ransom for the obtained details, a demand that Armstrong had refused to succumb to.
Within a week of this breach being reported, at least six lawsuits were reportedly filed against the U.S.-based exchange. Most accused the exchange of failing to protect its users and poorly dealing with the aftermath of the situation.
Coinbase has claimed that the incident impacted as many as 97,000 monthly users, 1 percent of Coinbase’s usual monthly traffic, which is nearly 10 million users.
The U.S.-based exchange is touted among the largest in the world.
