Coinbase faces multiple lawsuits following customer data security violations

Coinbase Faces Legal Storm Over User Data Breach

Coinbase is currently facing a surge of legal challenges after revealing that a recent cyberattack exposed customer data, prompting users to accuse the company of mishandling both security and its response.

Between May 15 and 16, at least six lawsuits were filed against the crypto exchange, claiming that Coinbase did not enforce strong enough security protocols to safeguard user information and failed to manage the aftermath of the breach effectively.

One such lawsuit, submitted to a New York federal court by plaintiff Paul Bender on May 16, alleges that Coinbase failed to protect the personal and sensitive data of millions of users during the incident.

According to the exchange, the breach occurred after cybercriminals bribed several customer support staff members to gain access to internal systems. The attackers then stole limited user data, including names, addresses, contact details, partial Social Security numbers, bank information, and identity documents such as driver’s licenses and passports. Some account details like transaction history and balance information were also accessed.

Bender argued that Coinbase lacked adequate and reasonable security protections, placing users at ongoing risk. The lawsuit described the company’s response as slow, disorganized, and insufficient, stating that affected users were not promptly informed and that Coinbase failed to provide tools like identity protection services or clear guidance.

The legal complaint warns that users could be at serious risk of identity theft and financial fraud, with long-term or even permanent consequences due to the exposure of unrecoverable data.

Additional Lawsuits Raise Similar Concerns

Two other federal lawsuits filed in New York echoed these allegations. A fourth lawsuit added that Coinbase benefited unfairly by underinvesting in data security, demanding compensation and further protection of user data.

A fifth lawsuit, filed in California, also accused Coinbase of failing to safeguard user data and asked the court to force the company to delete sensitive user information and engage independent security auditors.

While Coinbase has declined to comment directly on the lawsuits, it referred media inquiries to a public blog post addressing the breach. The company confirmed it rejected a $20 million ransom demand and promised to reimburse users who were tricked into sending funds to phishing scammers as a result of the data exposure.

In a regulatory filing, Coinbase estimated that it may need to spend between $180 million and $400 million to compensate affected users.

Reports also suggest the company terminated several India-based customer service employees suspected of helping attackers gain access through social engineering.

Following the disclosure of the breach and news of an ongoing SEC investigation into prior user data reporting, Coinbase stock (COIN) fell 7%, reaching $244. However, by May 16, it rebounded 9% to $266, according to Google Finance.