Coinbase, the US based crypto exchange, was aware of a customer data breach as early as January, according to six people familiar with the matter. Moreover, reports suggest that the breach was linked to a customer data leak in India.
Coinbase Attack and its Links to Outsourced Support Mishap
The leak came from TaskUs, which is a US outsourcing company with offices in India. In May, Coinbase disclosed in an SEC filing that its customer data had been accessed by support agents overseas. The breach had reportedly cost the company up to $400 million.
The incident reportedly began when a TaskUs employee in Indore, India, was caught taking photos of her work computer with her phone. According to five former TaskUs employees, she and another worker were passing Coinbase customer data to hackers in exchange for bribes.
Three former employees and a source close to the matter said Coinbase was told about the incident immediately. Over 200 TaskUs employees were later fired in a mass layoff, which gained attention in Indian media.
Though Coinbase has pointed to “overseas support agents” as the source of the breach, new details raise questions about when the company truly became aware of the issue. The link to TaskUs was previously suggested in a lawsuit filed last week in Manhattan federal court.
In its May SEC filing, Coinbase stated that it noticed suspicious data access “in previous months,” but only realized the full scale of the breach after receiving an extortion demand on May 11.
Coinbase told Reuters it had since severed ties with TaskUs personnel involved and other overseas agents, and strengthened its internal controls. The company did not name the other foreign agents.
TaskUs confirmed in a statement that two employees had been fired earlier this year for illegally accessing client data. The company said it informed the client immediately and believes the two were part of a broader criminal scheme targeting the client.
The security breach has become a major point of criticism from many crypto enthusiasts toward Coinbase. In response to these attacks, Armstrong addressed several issues, which included the scale of the breach, the legal implications for executives, and the government-mandated data collection practices he believes contribute to such incidents.
Armstrong went on to clarify that the data is not public yet. Armstrong said the stolen data has not yet surfaced on the dark web and expressed hope that the attacker would recognize the risk of becoming an accessory to more serious crimes. “There is a $20 million bounty on their head,” he added, implying serious consequences for further misuse of the data.
Also Read: Coinbase Estimates Cyberattack Could Cost up to $400M
