An amended class action complaint filed this week in the Southern District of New York has expanded claims against outsourcing firm TaskUs, alleging systemic security lapses and concealment linked to a Coinbase data breach that exposed customer information in 2024–2025.
The complaint builds on earlier disclosures, now alleging that bribed TaskUs employees in India photographed sensitive customer data and passed it to cybercriminals in exchange for payments. Plaintiffs argue this insider scheme extended well beyond frontline staff, culminating in the dismissal of about 300 employees in January 2025.
Alleged scheme inside TaskUs operations
Court filings claim some TaskUs staff accepted money to capture sensitive Coinbase account information, including names, contact details, and financial identifiers. One amended filing alleged the misconduct evolved into a “hub‑and‑spoke conspiracy” spreading through local offices.
While the original complaint did not name individuals, subsequent filings referenced TaskUs employees under investigation by Indian authorities. Plaintiffs allege some employees took hundreds of photos daily and were paid up to $200 per image. Investigators said one device allegedly contained data from more than 10,000 Coinbase customers at the time of seizure.
TaskUs has not issued public comment on the amended filing. Its February 2025 Form 10‑K filing did not identify any material data breaches, which plaintiffs now argue misrepresented the company’s exposure as it pursued a $1.6 billion sale to Blackstone.
Coinbase’s response
Coinbase confirmed in May that fewer than 1% of monthly transacting users were affected by the breach, estimating losses that could reach $400 million in damages across the scheme.
A Coinbase spokesperson said:
“This was a criminal bribery scheme beginning in late 2024 that exploited both external vendors and a small number of Coinbase CX staff outside the U.S. … Affected customers and regulators were notified immediately, and reimbursements were issued. We refused to pay the criminals, we strengthened our controls, and we cut ties with TaskUs.”
The exchange has launched a $20 million reward program for information leading to arrests and convictions. Coinbase has since fully terminated its vendor relationship with TaskUs.
Allegations of concealment
The lawsuit contends TaskUs “took steps to silence those with knowledge of the breach,” including the termination of internal investigators. Plaintiffs argue the company was focused on protecting its acquisition prospects while minimizing reputational fallout.
The complaint also cites claims that TaskUs misled regulators by continuing to assert that no material data breach had taken place during the first quarter of 2025, a period when internal investigations and layoffs were already underway.
Legal framing under FTC standards
The amended case also invokes Section 5 of the FTC Act, which governs unfair or deceptive practices.
“While Section 5 guidance isn’t always legally binding, courts use it to assess whether a company ignored foreseeable risks,” explained Andrew Rossow. “Regulators will want to know whether safeguards were in place, whether promises aligned with reality, and whether consumers had any way to protect themselves.”
Federal and state courts handling the matter are expected to weigh whether the exfiltrated data meets the threshold of sensitive customer information (including potential identity theft exposure) and whether TaskUs’s safeguards matched industry standards like encryption or multi‑factor controls.
Tanya Petrusenko
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
