A significant class action lawsuit has been filed against TaskUs, the outsourcing firm implicated in a major data breach that has reportedly affected over 70,000 Coinbase customers. This breach has been characterized as one of the most substantial and detrimental security failures in the cryptocurrency sector to date. The lawsuit accuses TaskUs of negligence, alleging that it failed to protect sensitive customer information, including names, addresses, phone numbers, email addresses, bank account details, and government IDs, resulting in severe financial losses and ongoing risks for victims.
According to the lawsuit, the breach may have led to losses exceeding $400 million for Coinbase customers, with some individuals reportedly losing their entire retirement savings due to the incident. Victims are now experiencing a barrage of unwanted communications from criminals impersonating Coinbase representatives, and some have taken the extreme step of hiring bodyguards out of fear for their safety.
The filing includes several grave allegations regarding the extent and nature of the breach. Firstly, it disputes TaskUs’ assertion that only two employees were involved, suggesting instead that a widespread and coordinated effort may have included hundreds of staff members, culminating in the termination of around 300 employees as part of an internal investigation.
Further claims indicate that victims were not promptly notified of the breach, which was reportedly identified in January 2025, four months before Coinbase publicly acknowledged the situation. This delay allegedly deprived affected individuals of the opportunity to take protective measures, leading to significant financial losses.
TaskUs is also accused of failing to monitor its network effectively, resulting in a data breach that could have been prevented. The lawsuit contends that inadequate safeguards and policies set the stage for the criminal activity that exposed sensitive information to thieves. The absence of key logging software and poor enforcement of data handling policies allowed employees to access and exploit customer data freely.
The lawsuit raises alarm about the potential uses of the stolen data, highlighting the risk of fraud, identity theft, and even physical assaults. Lawyers fear the number of victims who suffer financial and psychological repercussions could grow as the fallout continues to unfold. Individuals whose information was compromised could face myriad crimes, including unauthorized financial transactions and identity-related abuse.
Intriguingly, the filing also delves into the financial motivations that may have driven some TaskUs employees to collude with criminals, noting vast discrepancies in salaries between TaskUs employees in India and their U.S. counterparts. Reports reveal that employees allegedly received substantial bribes—up to $200 per image of sensitive data captured on their devices—resulting in considerable profits for those involved in the illicit scheme.
The alleged conspiracy appears to have started in September 2024, with key figures identified among TaskUs personnel, raising questions about how long this breach was occurring undetected. In a telling incident, one employee was discovered with a phone containing data from more than 10,000 customers, highlighting the severe lapses in oversight.
Victims of the breach have detailed their harrowing experiences, with one individual recounting how they were duped into transmitting funds to criminals who had masqueraded as Coinbase employees during a phone call.
The lawsuit criticizes Coinbase’s response as misleading, suggesting that the company only went public with information about the breach after facing a ransom demand. It argues that Coinbase should have acted more swiftly to notify users, especially given the rising complaints concerning identity theft associated with the platform.
As it stands, TaskUs faces numerous allegations, and plaintiffs are seeking not only financial redress but reforms to enhance data protection measures within the company’s operations. The repercussions of this breach continue to reverberate throughout the cryptocurrency community, raising critical questions about cybersecurity and the protection of sensitive user information in the digital age.
