In brief
- The amended complaint claims TaskUs’s India operations were at the center of a coordinated bribery scheme to steal customer information.
- Plaintiffs allege the company concealed the breach, firing investigators and failing to disclose details in securities filings before a $1.6 billion Blackstone buyout.
- Coinbase reimbursed affected users, tightened controls, and ended its relationship with TaskUs, Decrypt was told.
Amendments to a class action in New York against TaskUs have added new claims of systemic security failures and concealment in a breach tied to Coinbase customer data.
The amended complaint, filed on Tuesday at the Southern District of New York, adds key elements to earlier disclosures about how Coinbase’s customer data was handled across the timeline of the massive breach, from its origins in late 2024 to Coinbase’s eventual disclosure in May, with losses estimated to reach as much as $400 million.
“This was a criminal bribery scheme beginning in late 2024 that exploited both external vendors and a small number of Coinbase CX staff outside the U.S., enabling social-engineering scams against less than 1% of monthly transacting users,” a Coinbase spokesperson told Decrypt.
The crypto exchange said it notified affected users and regulators immediately, and reimbursed impacted customers as it tightened vendor and insider controls.
Coinbase has since ended its relationship with TaskUs, refusing to “pay the criminals” instead creating “a $20 million reward for information leading to arrests and convictions,” the spokesperson confirmed with Decrypt.
TaskUs did not immediately return Decrypt’s requests for comment.
Key changes to the complaint describe a coordinated scheme inside TaskUs’s India operations, where employees were allegedly bribed to photograph sensitive account information and pass it to criminals. Plaintiffs say the conspiracy spread beyond front-line staff, prompting TaskUs to dismiss around 300 employees in January.
‘Coordinated criminal campaign’
The outsourcing firm’s public statements allegedly “belie a far broader and coordinated criminal campaign that involved dozens, if not hundreds of TaskUs employees,” the complaint reads.
The filing also accuses TaskUs of concealing the scope of the breach. According to plaintiffs, the company “ took steps to silence those with knowledge of the breach” and fired its own human resources personnel tasked with investigating the breach in February.
It later continued to tell regulators it had suffered no material breach, and moved ahead with a $1.6 billion buyout through Blackstone before Coinbase acknowledged the incident in May.
A Form 10-K filing from TaskUs in February did not cite any factors pertaining to the Coinbase breach, which meant that it was effectively claiming it “was not aware of any material data breach impacting the company,” before Coinbase acknowledged the incident in May, the amended complaint alleged.
The amended complaint also expands on claims that TaskUs ignored Section 5 of the FTC Act, framing the lapses as systemic rather than isolated.
Those standards guide “what businesses should do to avoid ‘unfair’ or ‘deceptive’ practices, Andrew Rossow, public affairs attorney and CEO of AR Media Consulting, told Decrypt. “While not all guidance is legally binding, ignoring it can show that a company was careless or misleading.”
Courts and regulators are weighing whether the compromised data was sensitive enough to expose people to identity theft or financial loss, Rossow explained.
They will also examine whether safeguards such as encryption or multi-factor authentication were employed, whether the risks were foreseeable, whether security promises aligned with reality, and whether consumers had any means to protect themselves.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
