TLDR
- TaskUs is accused of silencing employees investigating the Coinbase data breach.
- The amended lawsuit reveals a coordinated scheme involving TaskUs employees in India.
- TaskUs allegedly concealed the scope of the Coinbase data breach for months.
- Coinbase severed ties with TaskUs and offered a $20 million reward for information.
- The lawsuit claims TaskUs violated the FTC Act by failing to disclose security failures.
The amended class action against TaskUs adds fresh claims of systemic security failures and concealment tied to the Coinbase data breach. Filed in the Southern District of New York, the lawsuit expands on previous allegations, detailing how the breach affected Coinbase’s customer data. Plaintiffs accuse TaskUs of silencing employees and hiding the full scope of the breach that affected users and regulators.
Allegations of a Coordinated Scheme in India
The amended complaint claims that TaskUs employees in India were bribed to photograph sensitive Coinbase account details. These images were allegedly passed on to criminals as part of a coordinated scam, impacting Coinbase’s users. According to the complaint, the conspiracy spread beyond front-line staff, involving other employees within TaskUs.
The plaintiffs argue that TaskUs fired around 300 employees in January to cover up the scale of the breach. The lawsuit highlights that TaskUs’s public statements contradicted the broader criminal scheme. The filing accuses the company of downplaying the breach and failing to alert regulators until Coinbase made the incident public in May.
The amended complaint further claims that TaskUs attempted to suppress knowledge of the breach. Plaintiffs allege that the company fired human resources staff who were investigating the breach. In addition, TaskUs reportedly continued to mislead regulators, claiming there was no material breach while moving forward with a major buyout deal.
Coinbase Takes Action After Data Breach in May
Despite the severity of the Coinbase data breach, TaskUs failed to disclose it in its February Form 10-K filing. The company stated that it was not aware of any material data breach impacting its operations at the time. This lack of transparency reportedly occurred even as TaskUs engaged in a $1.6 billion buyout deal through Blackstone.
Coinbase, however, took immediate action once it became aware of the breach in May. The company notified affected users and regulators while reimbursing impacted customers. Coinbase also severed ties with TaskUs, refusing to pay criminals involved in the scheme and offering a $20 million reward for information.
The Coinbase data breach, which resulted in estimated losses of up to $400 million, has prompted increased scrutiny from courts and regulators. Investigations are focusing on whether TaskUs violated security standards like encryption and multi-factor authentication. Authorities are also evaluating whether TaskUs’s practices were misleading and whether consumers could have protected themselves.
FTC Act and Systemic Failures at TaskUs
TaskUs faces additional scrutiny over its handling of the breach in relation to the FTC Act. The amended complaint claims the company ignored Section 5, which sets standards for avoiding unfair or deceptive practices. Experts note that while FTC guidelines may not be legally binding, ignoring them could indicate negligence or misleading behavior.
Andrew Rossow, a public affairs attorney, said the breach could highlight TaskUs’s systemic lapses in security practices. Courts and regulators will examine whether TaskUs’s security failures were a result of carelessness or an intentional cover-up.
