Coinbase Slammed with Half-Dozen Lawsuits After Data Breach Exposes Customer Info
Another day, another crypto exchange making bankers look like paragons of cybersecurity. Coinbase now faces at least six lawsuits after failing to protect user data—because nothing says ’decentralized future’ like handing hackers your KYC details on a silver platter.
Plaintiffs allege gross negligence as sensitive information leaks. The suits pile on just as the SEC tightens screws on crypto custodians. Timing’s impeccable—like a margin call at 3AM.
Will this spark actual infrastructure upgrades? Unlikely. Exchanges keep treating security like an optional altcoin feature rather than table stakes. But hey, at least the lawyers are getting rich.
Several lawsuits ensue ahead of S&P 500 listing
One of the lawsuits, filed in a New York federal court by plaintiff Paul Bender on May 16, alleges that Coinbase failed to implement and maintain adequate security protocols, which has exposed users to “serious and ongoing risks.”
The complaint also accuses the exchange of mishandling the aftermath of the breach, calling its response “inadequate, fragmented, and delayed.”
“Users were not promptly or fully informed of the compromise. Coinbase did not immediately take meaningful steps to mitigate further harm, provide identity protection services, or offer actionable guidance to affected individuals,” the complaint read.
Bender’s suit claimed that the leaked data leaves users vulnerable to identity theft and financial fraud and may cause irreparable damage, given that personal information cannot be made secure once it has been exposed.
Coinbase was slapped with two additional lawsuits, also filed in New York on the basis of the same complaints, while a fourth case expounds on the initial case to include unjust enrichment. That lawsuit claims Coinbase failed to invest “enough” on data security infrastructure and is profiting at the expense of user safety.
Illinois users file class action over biometric data law breach
In a separate legal front, Coinbase is also facing a class-action lawsuit filed on May 13 in an Illinois federal court. Plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan contend that Coinbase’s identity verification process violates the state’s Biometric Information Privacy Act (BIPA).
According to the lawsuit, Coinbase requires users to verify their identity by uploading a government-issued ID and a selfie. This information is then processed using facial recognition software to extract biometric identifiers.
The plaintiffs claimed that Coinbase did not properly notify users of this collection, nor did it disclose how long the data would be retained or how it would be destroyed.
Coinbase responds to breach and internal sabotage
In a blog post published the same day as the breach disclosure, Coinbase said it had refused to pay the $20 million ransom and instead launched a $20 million reward fund for information leading to the identification and arrest of those behind the attack.
Coinbase’s Chief Security Officer, Philip Martin, confirmed that the compromised customer service agents were based in India and have since been terminated. In a recent interview, Martin insisted that the company is working with law enforcement and industry partners to press charges against those responsible, including a “small group of insiders.”
“It sucks, but when we see a problem like this, we want to own it and make it right,” he reckoned.
The company estimated the cost of addressing the breach and compensating affected customers could range from $180 million to $400 million.
Meanwhile, Coinbase is under investigation by the US Securities and Exchange Commission (SEC) for “misrepresenting” user metrics in prior disclosures.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
