Simply put
- The updated complaint claims that Taskus’ operations in India were central to a planned bribery scheme aimed at stealing customer data.
- Plaintiffs allege that the company hid these violations, dismissed investigators, and failed to disclose important information regarding the $1.6 billion acquisition by Blackstone.
- According to reports, Coinbase has issued refunds to affected users and has tightened its restrictions while ending its partnership with Taskus.
The New York class action lawsuit against Taskus has been revised to include new allegations about systematic security failures and concealment regarding Coinbase customer data.
This updated filing in the Southern District of New York includes significant details about how Coinbase customer information was managed during a timeline of major violations, tracing back to late 2024. Notably, it was estimated in May that the potential financial loss could reach as high as $400 million.
“This is a criminal bribery scheme that exploited both external vendors and a small number of Coinbase customer experience staff outside the US during the latter half of 2024. It allowed social engineering fraud affecting less than 1% of monthly trading users,” a Coinbase representative stated.
Coinbase reported that it promptly notified impacted users and regulatory bodies, offering refunds to customers while enforcing stricter controls on vendors and internal personnel.
Following this incident, Coinbase terminated its contract with Taskus and refused to “pay the criminals.”
Taskus had not responded to requests for comments.
The updated complaint outlines a coordinated operation involving Taskus’ Indian staff, alleging that employees received bribes to capture sensitive account information for criminals. The plaintiffs assert that the conspiracy involved more than just frontline staff, leading to the termination of around 300 employees in January.
“A coordinated crime campaign”
The outsourcing company claimed, “We believe a broader coordinated criminal effort includes dozens, if not hundreds, of Taskus employees,” according to the complaint.
The filing also accuses Taskus of obscuring the extent of the violations, stating that the company “took steps to silence those who were aware of the violation,” including firing its HR officer in February, who was investigating the issues.
Furthermore, Taskus allegedly communicated to regulators that they had not experienced any major violations while proceeding with the $1.6 billion acquisition by Blackstone, even before Coinbase acknowledged the incident in May.
Before this acknowledgment, Coinbase had effectively stated that it “was unaware of any significant data breach affecting the company.” The revised complaint also elaborates on claims that Taskus ignored Section 5 of the FTC Act, framing these issues as systematic rather than isolated incidents.
These standards outline how businesses should operate to avoid “unfair” practices, as explained by Andrew Rossow, a legal expert. “While not all guidelines are legally binding, overlooking them can indicate that a company may be negligent or misleading.”
Courts and regulators are now evaluating whether the breached data is sensitive enough to expose individuals to identity theft or financial harm. They’re also looking into whether appropriate safeguards such as encryption and multi-factor authentication were implemented, whether risks were foreseeable, and if the security measures aligned with reality, alongside whether consumers are equipped to protect themselves.
