Coinbase was reportedly aware as early as January of a customer data leak at an outsourcing firm, months before it publicly disclosed the breach that could cost the company up to $400m.
Reuters reported Wednesday that the leak originated from TaskUs, a US-based outsourcing provider with operations in India. A female employee at the company’s Indore office was allegedly caught photographing her work computer with a personal mobile phone.
The breach, which was first made public in a May 14 SEC filing, compromised the information of nearly 70,000 users. Stolen data included customer names, phone numbers, addresses, ID documents, account balances and transaction history. Internal company documents were also accessed.
The woman and a suspected accomplice were accused of selling Coinbase customer data to hackers in exchange for bribes.
The hackers allegedly demanded $20m in exchange for not leaking the stolen data. Coinbase refused to pay the ransom and instead announced a $20m bounty for information leading to those responsible. In response, Coinbase said it terminated the TaskUs personnel involved, cut ties with other overseas agents, and implemented tighter controls. It has not publicly named the other foreign agents implicated.
Coinbase, in its May SEC filing, admitted that contractors had accessed internal employee data without a business need in “previous months.”