Amendments to a class action in New York against TaskUs have added new claims of systemic security failures and concealment in a breach tied to Coinbase customer data.
The amended complaint, filed on Tuesday at the Southern District of New York, adds key elements to earlier disclosures about how Coinbase’s customer data was handled across the timeline of the massive breach, from its origins in late 2024 to Coinbase’s eventual disclosure in May, with losses estimated to reach as much as $400 million.
“This was a criminal bribery scheme beginning in late 2024 that exploited both external vendors and a small number of Coinbase CX staff outside the U.S., enabling social-engineering scams against less than 1% of monthly transacting users,” a Coinbase spokesperson told Decrypt.
The crypto exchange said it notified affected users and regulators immediately, and reimbursed impacted customers as it tightened vendor and insider controls.
Coinbase has since ended its relationship with TaskUs, refusing to “pay the criminals” instead creating “a $20 million reward for information leading to arrests and convictions,” the spokesperson confirmed with Decrypt.
TaskUs did not immediately return Decrypt’s requests for comment.
Key changes to the complaint describe a coordinated scheme inside TaskUs’s India operations, where employees were allegedly bribed to photograph sensitive account information and pass it to criminals. Plaintiffs say the conspiracy spread beyond front-line staff, prompting TaskUs to dismiss around 300 employees in January.
'Coordinated criminal campaign'
The outsourcing firm’s public statements allegedly “belie a far broader and coordinated criminal campaign that involved dozens, if not hundreds of TaskUs employees,” the complaint reads.
The filing also accuses TaskUs of concealing the scope of the breach. According to plaintiffs, the company “ took steps to silence those with knowledge of the breach” and fired its own human resources personnel tasked with investigating the breach in February.
It later continued to tell regulators it had suffered no material breach, and moved ahead with a $1.6 billion buyout through Blackstone before Coinbase acknowledged the incident in May.
A Form 10-K filing from TaskUs in February did not cite any factors pertaining to the Coinbase breach, which meant that it was effectively claiming it “was not aware of any material data breach impacting the company,” before Coinbase acknowledged the incident in May, the amended complaint alleged.
The amended complaint also expands on claims that TaskUs ignored Section 5 of the FTC Act, framing the lapses as systemic rather than isolated.
Those standards guide “what businesses should do to avoid 'unfair' or 'deceptive' practices, Andrew Rossow, public affairs attorney and CEO of AR Media Consulting, told Decrypt. “While not all guidance is legally binding, ignoring it can show that a company was careless or misleading.”
Courts and regulators are weighing whether the compromised data was sensitive enough to expose people to identity theft or financial loss, Rossow explained.
They will also examine whether safeguards such as encryption or multi-factor authentication were employed, whether the risks were foreseeable, whether security promises aligned with reality, and whether consumers had any means to protect themselves.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
