Coinbase’s Customer Service Provider Sued Over Data Breach (1)

Customer-support services provider TaskUs Inc. negligently failed to protect the personal information of nearly 100,000 people after a March data breach hit the Coinbase Inc. cryptocurrency exchange, a proposed federal class action alleges.

The lawsuit places TaskUs, a Coinbase contractor, at the center of the breach, which reportedly affected around 1% of Coinbase’s 9.7 million active customers.

Lead plaintiff Nelson Estrada alleges that the breach occurred after cybercriminals bribed “rogue overseas support agents” for Coinbase to disclose customer data. Those employees worked at TaskUs’s customer call centers based in India, according to a complaint filed Tuesday in the US District Court for the Southern District of New York.

Coinbase executives first became aware of the breach in January, Estrada’s complaint alleges, citing a Bloomberg news report. At nearly the same time, TaskUs decided to fire 300 employees at its India call centers over allegations of fraud, the complaint says.

“The reported timeline of Coinbase’s awareness of the data breach coincides directly with TaskUs’ involvement in the data breach,” the complaint says.

TaskUs said in a statement, “Early this year we identified two individuals who illegally accessed information from one of our clients. We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client. We immediately reported this activity to the client, terminated the individuals involved, and are coordinating with law enforcement.”

Coinbase isn’t named as a defendant in Estrada’s lawsuit but is facing at least 13 other proposed federal class actions over the breach. It expects to pay out between $180 million and $400 million in remediation costs and customer reimbursements related to the incident, according to a May 14 SEC filing.

Coinbase didn’t respond immediately to a request for comment.

TaskUs breached its duties under common law, contract law, industry standards, and the Federal Trade Commission Act to implement reasonable and adequate data-security measures and provide timely notice of the breach, the complaint says.

Information exposed in the incident included names, addresses, phone numbers, email addresses, Social Security numbers, bank account numbers and identifiers, government-ID images, and account data, it says.

Estrada seeks to represent a nationwide class and a California subclass of people affected by the breach.

The complaint brings claims of negligence, negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and violations of the California Unfair Competition Law and the California Consumer Privacy Act.

Estrada is seeking actual, statutory, and punitive damages; restitution and disgorgement; declaratory, equitable and injunctive relief; attorneys’ fees and costs; and pre- and post-judgment interest.

Greenbaum Law Group LLP represents Estrada and the proposed class.

The case is Estrada v. TaskUs Inc., S.D.N.Y., No. 1:25-cv-04409, complaint filed 5/27/25.