Coinbase knew about data breach months before disclosure, sources claim

A contractor working for Coinbase allegedly sold customer data to hackers in January, months before the crypto exchange disclosed the recent KYC data leak. According to a Reuters report citing six people familiar with the matter, at least one part of the breach involved an India-based employee of TaskUs, a USu outsourcing firm that handled Coinbase support. The individual was caught taking photographs of her work computer with a personal phone. Former TaskUs employees said the contractor, along with an alleged accomplice, sold Coinbase customer data in exchange for bribes. Sources claim that Coinbase was immediately notified after the incident, which occurred in Indore, India, suggesting the company had prior knowledge of the breach well before its May 14 regulatory filing. Three former TaskUs employees and another source said more than 200 workers were fired in a mass layoff that followed, although only two were implicated in the breach. The details, reported publicly for the first time by Reuters, suggest Coinbase may have known about the breach long before its May 14 disclosure to regulators. In its SEC filing, Coinbase confirmed that third-party contractors accessed sensitive data “without business need” in prior months but claimed it only realised the extent of the breach after a $20 million extortion attempt from the hackers on 11 May. The company said it then discovered the unauthorised access was part of a broader campaign. Coinbase confirmed to Reuters that it had since terminated all ties with the implicated TaskUs personnel and other overseas agents and has tightened internal security controls. TaskUs, in a statement issued earlier this year, acknowledged the firing of two employees and stated that the breach was part of a broader, coordinated criminal campaign targeting one of its clients, although it did not name the client at the time. A source confirmed that the client was indeed Coinbase. As of now, it is unclear whether any arrests have been made. For TaskUs , this is not the first time it has faced scrutiny over a crypto-related data breach. In 2022, the company was named in multiple lawsuits alongside Shopify over a 2020 breach involving Ledger SAS, a hardware wallet provider. Coinbase under legal scrutiny Coinbase first disclosed the breach in its May regulatory filing, where it stated that a subset of users had their data accessed through compromised third-party contractors. While the company said no passwords or funds were stolen, it confirmed that personal data such as names, email addresses, and in some cases, partial Social Security numbers and ID documents were exposed. The incident triggered a criminal investigation by the US Department of Justice, with the agency’s criminal division reportedly working with international law enforcement agencies to assess whether Coinbase’s internal controls were sufficient to prevent such access. Separately, Coinbase is facing multiple lawsuits in the US, including a federal case filed in Manhattan that alleges negligence on the part of both Coinbase and TaskUs. Plaintiffs claim that the companies failed to implement adequate safeguards, allowing rogue contractors to leak sensitive KYC data. The lawsuits seek damages for affected users, and some argue that Coinbase delayed public disclosure despite having prior knowledge of the breach. The new revelations from Reuters that Coinbase was notified of the incident as early as January could complicate its legal defence. Plaintiffs may cite this timeline to argue that the company withheld material information from regulators and customers. It could also strengthen claims that Coinbase’s oversight of its outsourcing partners was insufficient, increasing the pressure on the SEC and other regulators to pursue enforcement action. The post Coinbase knew about data breach months before disclosure, sources claim appeared first on Invezz

Source: Invezz