In a recent development, an amended complaint has been filed in a class action lawsuit against TaskUs, detailing serious allegations regarding its operations in India. The plaintiffs claim that these operations were central to a coordinated bribery scheme designed to access and steal sensitive customer information. The allegations suggest that TaskUs engaged in systematic security failures, concealed the extent of a major data breach, and even terminated individuals who sought to investigate misconduct related to the incident.
According to the amended complaint filed in the Southern District of New York, the breach reportedly began in late 2024 and persisted until Coinbase disclosed it in May, with potential financial losses from the incident estimated to reach as high as $400 million. A spokesperson for Coinbase stated that the breach, described as a “criminal bribery scheme,” involved not only external vendors but also a limited number of Coinbase customer support staff working outside the U.S. The spokesperson emphasized that less than 1% of monthly transacting users were targeted through social engineering scams.
Coinbase responded promptly by notifying the affected users and regulatory authorities, providing reimbursements to those impacted, and subsequently tightening its controls over vendors and internal staff. The company has since severed its business relationship with TaskUs, opting not to “pay the criminals” involved in the scheme. Instead, Coinbase has established a $20 million reward for information leading to the arrest and conviction of the individuals responsible for the breach.
The amended complaint includes troubling new details, asserting that employees within TaskUs’s Indian division were reportedly bribed to take photographs of sensitive account information and share it with criminals. This alleged conspiracy was said to involve a significant number of employees, prompting TaskUs to terminate around 300 workers in January. The updated filing depicts the scandal as a much larger and organized effort than previously acknowledged.
Further accusations in the complaint assert that TaskUs attempted to mislead regulators and the public regarding the scope of the breach. The plaintiffs allege that the company took steps to silence those knowledgeable about the issue, including dismissing its own human resources personnel who were investigating the incident. Despite the ongoing crisis, TaskUs reportedly told regulators in its Form 10-K filing that it was unaware of any material data breach.
Moreover, the lawsuit claims that TaskUs failed to comply with Section 5 of the FTC Act, which outlines requirements to prevent “unfair” or “deceptive” practices. Experts suggest that such lapses could indicate neglect on the part of the company, particularly in terms of security practices that should have been in place. Courts and regulators are now reviewing whether the compromised data was sufficiently sensitive to put individuals at risk of identity theft or financial loss. They are also examining whether adequate safeguards were implemented, along with evaluating the foreseeability of the risks involved and the accuracy of the company’s security representations.
As this situation unfolds, it raises critical questions about corporate responsibility and the safeguarding of customer information in the rapidly evolving sector of cryptocurrency exchanges.
