Coinbase is facing backlash after a recent report claimed that the crypto exchange had learned about the recently disclosed data breach months before addressing it to the public, sparking a debate about transparency.
Coinbase Allegedly Delayed Data Breach Disclosure
On Monday, Reuters reported that Coinbase has been aware of a customer data leak linked to the estimated $400 million data breach disclosed last month. The news media outlet claims that at least one part of the breach, disclosed on May 14, happened in January with an overseas contractor for the crypto exchange.
Six people familiar with the matter told Reuters that an India-based employee of the US outsourcing firm TaskUs was caught taking pictures of her work computer with her phone to sell it to hackers at the start of the year.
According to the report, multiple ex-employees allege that the suspected woman and an accomplice had “been feeding Coinbase customer information to hackers in return for bribes,” adding that the crypto exchange was immediately notified of the incident.
This resulted in a mass layoff of over 200 TaskUs employees, which caught the attention of Indian media outlets. In a statement to Reuters, Coinbase stated that the incident was recently discovered, affirming that it had “cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls.”
However, they did not disclose the identity of the other foreign agents. Meanwhile, TaskUS stated they had fired two employees for illegally accessing information from an undisclosed client.
In the statement, the outsourcing company claims to have “immediately reported this activity to the client,” as they “believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.”
Investors Criticize Lack Of Transparency
As reported by Bitcoinist, Coinbase CEO Brian Armstrong revealed on May 14 that malicious actors bribed a handful of support contractors overseas to access the company’s internal tools, leading to the leak of names, email addresses, limited transaction records, and partial Social Security numbers of around 1% of the exchange’s users.
The hackers used the information to attempt to blackmail Coinbase, demanding a $20 million Bitcoin (BTC) ransom to return the sensitive data, which the crypto exchange refused to pay.
In the Securities and Exchange Commission (SEC) May filing, Coinbase affirmed that it was aware that contractors accessing the data “without business need were independently detected by the Company’s security monitoring in the previous months,” claiming that, after the blackmail attempt, they concluded “these prior instances of improper data access were part of a single campaign.”
Following the Reuters report, Coinbase was questioned about when it first became aware of the severity of the data breach. Crypto investors expressed their concerns about a potential lack of transparency, with some inquiring about the reasons for not disclosing the breach months ago.
Others criticized the exchange for using “cheap” contractors overseas instead of direct employees for sensitive data. “60 billion dollar company saves a few bucks on headcount while exposing home addresses for their richest customer base,” an X user stated.
Moreover, the exchange is facing legal scrutiny, with several class action lawsuits and a Department of Justice (DOJ) investigation. Notably, an investor filed a lawsuit on May 22 alleging that the company’s shareholders have suffered “significant losses and damages” due to a long list of “wrongful acts and omissions,” including the data breach incident.
Meanwhile, a May 27 lawsuit against TaskUs claims that the outsourcing company and Coinbase “failed to timely notify Plaintiff and other Class Members” despite being aware of the incident for months, noting that between January and May, “TaskUs disclosed in its Form 10-Ks that they were not aware of any material data breaches impacting their respective companies.”