In May, Coinbase disclosed a significant data breach that affected thousands of its clients, leading to concerns about the security of personal information in the cryptocurrency space. According to estimates, the hack could cost Coinbase up to $400 million. The breach reportedly involved rogue employees from TaskUs, a customer service outsourcing firm based in Texas, specifically rooted in its Indore, India service center.
New court documents from the class-action law firm Greenbaum Olbrantz provided a detailed look into the activities of Ashita Mishra, an employee implicated in the data theft. Mishra allegedly began stealing sensitive customer information, including Social Security numbers and bank account details, in September 2024, and sold this data to hackers. These criminals allegedly used the stolen information to impersonate Coinbase employees, eventually persuading customers to divulge their cryptocurrency holdings.
The complaint describes a “sophisticated hub-and-spoke conspiracy,” where Mishra, alongside another accomplice, enlisted other TaskUs employees to embezzle customer data. This network supposedly included team leaders and operation managers who were complicit in the scheme. At the peak of the breach, Mishra’s phone reportedly held data for over 10,000 Coinbase customers, and she was compensated $200 for each captured image of customer accounts, sometimes taking as many as 200 photos a day. Coinbase later revealed that over 69,000 customers were affected by the hack.
Continuing its investigation, the court filings allege that the thefts began in September 2024, diverging from Coinbase’s earlier statements that the breach had occurred in late December. TaskUs has also alleged that some Coinbase employees might have also been involved in the hack. However, no additional details were provided.
Both Coinbase and TaskUs have yet to comment on the amended complaint. In previous statements, representatives from both companies emphasized their commitment to protecting customer data and outlined actions taken following the breach, including severing ties with implicated personnel and tightening security protocols.
The detailed account in the recent complaint outlines a significant breach in Coinbase’s history, marking one of the year’s most extensive hacks in the cryptocurrency realm. In response to the breach, several lawsuits have been initiated against Coinbase, with the company urging that these cases be resolved through arbitration, a strategy companies typically follow to minimize financial repercussions and public scrutiny.
Greenbaum Olbrantz’s amended complaint suggests that TaskUs attempted to silence those aware of the breach. In January, the company terminated 226 employees connected to the Indore center due to the severity of the infiltration, which allegedly permeated TaskUs systems to such an extent that it became challenging to identify all involved parties. Additionally, the lawsuit claims that TaskUs fired the HR team responsible for investigating the incident, depicting this as a “pattern of concealment.”
This amended filing further illustrates the evolving landscape of accountability and transparency in the realm of data security within the crypto industry, with the law firm committed to ensuring that all responsible parties are held liable.
