Coinbase hit with at least 6 lawsuits over customer data breaches

Coinbase, the largest cryptocurrency exchange in the United States, is facing at least six lawsuits filed in federal courts between May 13 and May 16, 2025, with plaintiffs accusing the exchange of failing to protect sensitive user data and violating biometric privacy laws.

The legal onslaught comes just days after Coinbase disclosed last Thursday that cybercriminals had accessed internal systems by bribing several of its customer support agents. The breach, which reportedly occurred on May 11, compromised data belonging to thousands of users, and the attackers are now demanding a $20 million ransom.

According to Coinbase, the stolen data includes names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, bank account details, driver’s licenses, passports, and account-related information such as balance snapshots and transaction history. 

The company stated the breach impacted less than 1% of its 8 million monthly transacting users, which would equate to under 80,000 individuals.

Several lawsuits ensue ahead of S&P 500 listing

One of the lawsuits, filed in a New York federal court by plaintiff Paul Bender on May 16, alleges that Coinbase failed to implement and maintain adequate security protocols, which has exposed users to “serious and ongoing risks.” 

The complaint also accuses the exchange of mishandling the aftermath of the breach, calling its response “inadequate, fragmented, and delayed.”

“Users were not promptly or fully informed of the compromise. Coinbase did not immediately take meaningful steps to mitigate further harm, provide identity protection services, or offer actionable guidance to affected individuals,” the complaint read.

Bender’s suit claimed that the leaked data leaves users vulnerable to identity theft and financial fraud and may cause irreparable damage, given that personal information cannot be made secure once it has been exposed.

Coinbase was slapped with two additional lawsuits, also filed in New York on the basis of the same complaints, while a fourth case expounds on the initial case to include unjust enrichment. That lawsuit claims Coinbase failed to invest “enough” on data security infrastructure and is profiting at the expense of user safety. 

Illinois users file class action over biometric data law breach

In a separate legal front, Coinbase is also facing a class-action lawsuit filed on May 13 in an Illinois federal court. Plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan contend that Coinbase’s identity verification process violates the state’s Biometric Information Privacy Act (BIPA). 

According to the lawsuit, Coinbase requires users to verify their identity by uploading a government-issued ID and a selfie. This information is then processed using facial recognition software to extract biometric identifiers. 

The plaintiffs claimed that Coinbase did not properly notify users of this collection, nor did it disclose how long the data would be retained or how it would be destroyed.

Coinbase responds to breach and internal sabotage

In a blog post published the same day as the breach disclosure, Coinbase said it had refused to pay the $20 million ransom and instead launched a $20 million reward fund for information leading to the identification and arrest of those behind the attack. 

Coinbase’s Chief Security Officer, Philip Martin, confirmed that the compromised customer service agents were based in India and have since been terminated. In a recent interview, Martin insisted that the company is working with law enforcement and industry partners to press charges against those responsible, including a “small group of insiders.”

“It sucks, but when we see a problem like this, we want to own it and make it right,” he reckoned.

The company estimated the cost of addressing the breach and compensating affected customers could range from $180 million to $400 million.

Meanwhile, Coinbase is under investigation by the US Securities and Exchange Commission (SEC) for “misrepresenting” user metrics in prior disclosures. 

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites