A U.S. outsourcing company, TaskUs, is facing fresh allegations that it concealed the scale of a data breach tied to cryptocurrency exchange Coinbase and attempted to silence employees investigating the incident.
According to an amended class-action lawsuit filed Tuesday by law firm Greenbaum Olbrantz, TaskUs failed to disclose key details about the breach, which reportedly affected more than 69,000 Coinbase customers. The complaint centers on TaskUs employee Ashita Mishra, who is accused of playing a central role in a scheme to leak sensitive customer data.
Insider Role in the Breach
Coinbase publicly acknowledged the breach in May, stating that it had reimbursed affected customers, notified regulators, and severed ties with TaskUs while tightening its own security measures.
The lawsuit alleges Mishra and unnamed accomplices stole confidential customer information between September and January, selling it to hackers who used the data to impersonate Coinbase staff and steal cryptocurrency from unsuspecting victims. The amended filing describes the operation as a “hub-and-spoke conspiracy” designed to keep participants unaware of one another, making it harder to uncover the full scope of the theft.
Court documents claim Mishra and her group were paid around $200 per stolen photo of customer data. At one point, she allegedly captured up to 200 photos a day, with her phone later found to contain information from more than 10,000 Coinbase accounts. Coinbase, however, has previously said the breach took place in December, a shorter timeframe than the one alleged in the lawsuit.
Alleged Concealment by TaskUs
Beyond the actions of individual employees, the amended suit accuses TaskUs of actively downplaying its role in the incident. The company allegedly fired nearly 300 employees at its Indore, India office after the breach came to light, a move the complaint claims was intended to mask how deeply the conspiracy had penetrated its systems.
Ben Weiss,Jeff John Roberts
Investigators also allege TaskUs disbanded parts of its human resources team and terminated staff members involved in probing the breach, which the lawsuit describes as “a pattern of concealment.”
Adding to the controversy, TaskUs’ February Form 10-K filing reportedly failed to disclose the Coinbase breach, stating instead that the company was “not aware of any material data breaches” — despite being linked to the incident.
Wider Security Concerns
While Coinbase confirmed no funds were directly stolen from the exchange itself, the exposure of personal information has raised concerns over identity theft and phishing attacks targeting customers. Hackers calling themselves “the Comm” are suspected of orchestrating the wider scheme.
The legal battle now puts TaskUs under increased scrutiny, both for its handling of the breach and its communications with regulators and investors. The outcome could set a precedent for accountability among third-party service providers managing sensitive financial data.
