Bengaluru: Two India-based employees of U.S. business process outsourcing firm TaskUs have been accused of unlawfully accessing sensitive customer data belonging to cryptocurrency exchange Coinbase. The breach is reportedly part of a broader criminal operation that targeted not only Coinbase but also several other vendors associated with the platform.
Coinbase, which uses TaskUs to handle outsourced customer support operations in India, disclosed the incident in a filing with the U.S. Securities and Exchange Commission (SEC). According to the filing, the breach did not compromise passwords or private keys, and at no point did the contractors or employees gain access to user funds. However, the accessed data included customer names, contact information, masked Social Security numbers, government ID images, and account details.
The security incident is now the subject of legal scrutiny. Plaintiff Nelson Estrada has filed a complaint in a U.S. court against TaskUs, alleging the firm failed to protect the personally identifiable information (PII) of millions of individuals.
Coinbase stated in its filing that it had received an email from an unidentified threat actor claiming to possess data on specific customer accounts and internal documentation relating to customer service and account management. “The threat actor,” Coinbase noted, “appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access.”
The preliminary cost of dealing with the breach—including investigation, remediation, and customer reimbursements—has been estimated by Coinbase to fall between $180 million and $400 million.
Responding to queries, TaskUs acknowledged the internal breach, saying, “Early this year, we identified two individuals who illegally accessed information from one of our clients. We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.”
TaskUs further said that it acted immediately after detecting the issue, notifying Coinbase, terminating the involved employees, and engaging with law enforcement. “Out of an abundance of caution, TaskUs ceased all Coinbase operations in Indore in early January, impacting 226 teammates. Following the investigation, all teammates, excluding the two bad actors, were offered a generous severance package, including six months of pay,” the company added. “We place the highest priority on safeguarding the data of our clients and their customers and continue to strengthen our global security protocols and training programmes, including by investing millions of additional dollars in physical and information security.”
A Coinbase spokesperson confirmed the incident and reiterated that no critical account access credentials had been leaked. “As we’ve already disclosed, we recently discovered that a threat actor solicited overseas agents to capture customer account information dating back to December 2024. We notified affected users and regulators, cut ties with TaskUs personnel involved and other overseas agents, and tightened controls. No passwords, private keys, or any other information that would allow someone to directly access customer accounts or funds were exposed, and Coinbase Prime accounts are untouched,” the spokesperson said.
