Overview of the Lawsuit Against TaskUs
A recent update to the class action lawsuit filed in New York against TaskUs has introduced new allegations regarding significant security lapses and efforts to cover up a data breach related to Coinbase. The revised legal action, submitted on Tuesday in the Southern District of New York, further elaborates on how customer data at Coinbase was managed during the course of a significant breach that began in late 2024 and was disclosed by the crypto exchange in May, with potential losses estimated to be as high as $400 million.
Details of the Data Breach
According to a Coinbase spokesperson, this incident was characterized as a criminal bribery operation that began in late 2024, involving both external vendors and a limited number of Coinbase customer service representatives located outside the U.S. The operation targeted approximately 1% of active users through social engineering tactics. The company stated that it quickly informed those affected and regulatory bodies about the data breach, providing reimbursement to customers while enhancing control measures over vendors and insider access.
Response from Coinbase and TaskUs
Following the incident, Coinbase terminated its partnership with TaskUs, choosing not to engage in any payments to the perpetrators. Instead, they opted to establish a $20 million reward for information leading to their arrest and conviction. As of now, TaskUs has not responded to inquiries from Decrypt regarding the situation.
Allegations Against TaskUs
The amended complaint presents detailed allegations of an organized scheme within TaskUs’s Indian operations, claiming that employees were bribed to capture sensitive account data and share it with criminals. Furthermore, plaintiffs allege that the conspiracy extended beyond just frontline employees, prompting TaskUs to lay off around 300 staff members in January.
The lawsuit contends that TaskUs’s representations to the public downplayed a more extensive and organized criminal operation involving many employees. Additionally, the amended lawsuit claims that TaskUs attempted to downplay the extent of the breach by silencing individuals who were aware of it, even firing human resources personnel involved in the breach investigation.
Regulatory and Legal Implications
Despite the breach, the company allegedly informed regulators that it had not experienced any material breach and proceeded with a planned buyout valued at $1.6 billion via Blackstone prior to Coinbase’s acknowledgment of the breach in May. A TaskUs Form 10-K filing from February did not recognize any issues related to the Coinbase breach, effectively suggesting that the company was unaware of any significant data breach affecting its operations before Coinbase’s public statement in May.
The revised complaint also emphasizes that TaskUs may have violated Section 5 of the Federal Trade Commission Act, arguing that the failures were systematic rather than mere anomalies. Andrew Rossow, a public affairs attorney, explained that these standards establish a framework for businesses to prevent ‘unfair’ or ‘deceptive’ practices; neglecting them could suggest irresponsibility.
Courts and regulatory bodies are currently determining whether the breached data was sensitive enough to pose risks such as identity theft or financial loss, and will analyze the security measures that were in place at the time—like encryption and multi-factor authentication—alongside whether potential risks were anticipated and if the company’s security claims were substantiated.
