An updated lawsuit against the U.S.-based outsourcing provider TaskUs alleges that the firm concealed vital information regarding the Coinbase data breach while downplaying the level of insider involvement.
Summary
- The updated lawsuit asserts that TaskUs hid details related to the Coinbase data breach.
- TaskUs employee Ashita Mishra is accused of masterminding the operation that affected over 69,000 Coinbase users.
According to Greenbaum Olbrantz, the law firm that launched the class action in May and filed the amended complaint on Tuesday, Ashita Mishra, a TaskUs employee, is allegedly at the center of the scheme that impacted more than 69,000 Coinbase clients.
In May, Coinbase confirmed the breach, stating it had compensated affected users, notified regulators, and severed ties with TaskUs while bolstering its internal security protocols.
Mishra, along with unidentified accomplices, reportedly misappropriated confidential data about Coinbase users from September to January, selling it to hackers who impersonated Coinbase employees to steal cryptocurrency from unsuspecting victims. However, Coinbase previously maintained that the breach occurred in December.
“Ms. Mishra was part of a sophisticated hub-and-spoke conspiracy that transferred Coinbase customer data from TaskUs systems to criminals at the heart of the operation,” the lawsuit alleges, referring to a TaskUs employee tasked with investigating the breach.
Reportedly, Mishra and a primary accomplice created “circles of isolated TaskUs employees” who were unaware of each other’s roles in the scheme, establishing a structure aimed at “continuously extracting highly sensitive personally identifiable information from TaskUs even if one participant was apprehended,” according to the complaint.
The accusations suggest that the perpetrators paid Mishra and her team $200 for each photograph containing Coinbase data, with previous claims from Coinbase indicating that she sometimes captured up to 200 photos daily. At the time TaskUs recognized the breach, Mishra’s phone reportedly contained data about over 10,000 Coinbase customers.
TaskUs allegedly concealed information
Further allegations in the revised lawsuit focus on TaskUs, which allegedly “took actions to silence those aware of the breach.”
The company had previously laid off nearly 300 employees from its Indore, India office, with the filing suggesting this was a reaction to the conspiracy’s “widespread infiltration of TaskUs’ systems, complicating the identification of all individuals involved.”
TaskUs is also said to have disbanded its human resources team and terminated staff responsible for investigating the breach, which the revised lawsuit describes as a “pattern of concealment.”
“Upon information and belief, TaskUs terminated these employees to obscure the true extent of its security failures,” the lawsuit stated.
Among other inconsistencies was a Form 10-K filing from TaskUs in February, which failed to disclose its connection to the Coinbase breach, effectively signaling to regulators and investors that the company was “unaware of any material data breaches” at that time.
According to earlier reports, a group of hackers known as “the Comm” is suspected of orchestrating the incident. While no funds were lost from the exchange, unauthorized access to sensitive customer data has raised concerns about potential identity theft and phishing risks for affected users.
