Amendments to Lawsuit Against TaskUs

Amendments to a class action in New York against TaskUs have introduced new claims of systemic security failures and concealment related to a breach involving Coinbase customer data.

The amended complaint, filed on Tuesday at the Southern District of New York, elaborates on earlier disclosures regarding the handling of Coinbase’s customer data during the breach, from its inception in late 2024 to Coinbase’s eventual disclosure in May, with estimated losses potentially reaching up to $400 million.

A Coinbase spokesperson informed Decrypt:
> “This was a criminal bribery scheme beginning in late 2024 that exploited both external vendors and a small number of Coinbase CX staff outside the U.S., enabling social-engineering scams against less than 1% of monthly transacting users.”

Coinbase claimed it notified affected users and regulators immediately and provided reimbursements to impacted customers while strengthening vendor and insider controls.

Since the incident, Coinbase has terminated its relationship with TaskUs to avoid “paying the criminals” and instead launched a $20 million reward for information leading to arrests and convictions, as confirmed by the spokesperson.

TaskUs did not respond to Decrypt’s request for comment.

‘Coordinated Criminal Campaign’

Key updates to the complaint describe a coordinated scheme within TaskUs’s India operations, where employees allegedly received bribes to photograph sensitive account information and relay it to criminals. Plaintiffs assert that this conspiracy extended beyond just front-line staff, leading TaskUs to dismiss around 300 employees in January.

The complaint claims that TaskUs’s public statements do not reflect the extensive and coordinated criminal activities involving numerous employees. Moreover, the filing alleges that TaskUs concealed the breach’s full scope, taking measures to silence individuals knowledgeable about the incident and firing their own HR staff investigating the breach in February.

Despite the incident, TaskUs continued asserting to regulators that it had not experienced a material breach and proceeded with a $1.6 billion buyout through Blackstone before Coinbase publicly acknowledged the breach in May.

The amended complaint indicates that a Form 10-K filing from TaskUs in February did not reference any factors related to the Coinbase breach, suggesting the company claimed it was unaware of any significant data breach affecting its operations.

Further claims in the amended complaint suggest that TaskUs neglected Section 5 of the FTC Act, highlighting these failures as systemic rather than individual incidents. Andrew Rossow, a public affairs attorney and CEO of AR Media Consulting, noted the importance of these standards, emphasizing that while not all guidance is legally binding, a company ignoring them can appear careless or misleading.

Courts and regulators are assessing whether the compromised data is sensitive enough to lead to identity theft or financial loss. They will also evaluate if adequate safeguards, such as encryption or multi-factor authentication, were in place and if the risks were foreseeable, reviewing whether security assurances matched reality and if consumers had adequate means to protect themselves.