tl;dr
Coinbase disclosed that a data breach last year affected 69,461 users, including 217 residents of Maine. Cybercriminals bribed overseas customer support agents to access sensitive information such as names, addresses, phone numbers, emails, and government-ID images. The breach occurred on December 2...
Coinbase disclosed a significant data breach last year that affected 69,461 users, including 217 residents of Maine. The breach involved cybercriminals bribing overseas customer support agents to access sensitive personal information such as names, addresses, phone numbers, emails, and government-ID images.
The breach occurred on December 26 but was only discovered on May 11 after Coinbase noted abnormal behavior among some customer service representatives. This incident has prompted a U.S. Justice Department investigation, with Coinbase cooperating with law enforcement agencies both in the U.S. and internationally.
According to Coinbase’s SEC filings, the financial cost of this breach could range between $180 million and $400 million. Additionally, an unknown threat actor demanded a $20 million ransom to prevent the release of stolen data. This disclosure reveals key gaps in consumer data protection laws, given Coinbase’s obligation as a public company to notify shareholders quickly, contrasted with a patchwork of state-level protections for customers.
In response to the breach, Coinbase updated its user agreement in April to limit class action lawsuits by adding clauses that restrict users’ legal actions to federal courts in New York. This move has sparked controversy and accusations from security experts of gaslighting and ignoring insider theft evidence for months. Notably, some experts argue Coinbase was warned about insider risks well before publicly acknowledging the breach.
Coinbase CEO Brian Armstrong addressed the situation publicly through social media, but much of the detailed information on the breach has emerged from regulatory filings. Experts emphasize that SEC oversight is crucial in bringing transparency to the scope and impact of such incidents. As legal proceedings develop, questions remain on the timing and adequacy of Coinbase’s disclosures and consumer safeguards.