Coinbase Faces Legal Firestorm Over Data Breach, Insider Bribery, and Biometric Privacy Violations

Multiple Class Actions Allege Security Negligence and Data Misuse

Coinbase is under intense legal scrutiny after revelations of a major data breach, insider corruption, and alleged biometric privacy violations sparked at least six class-action lawsuits between May 13 and 16, 2025. The breach, now confirmed by multiple filings, involved unauthorized access to user data through bribery of India-based customer support contractors. 

Hackers reportedly paid Coinbase agents for system access, enabling the theft of personally identifiable information such as email addresses, phone numbers, masked Social Security numbers, and transaction histories. Although private keys and passwords were not exposed, plaintiffs argue the compromised data poses severe, lifelong risks of identity theft and fraud.

Court documents reveal Coinbase refused to pay a $20 million ransom demanded by the perpetrators. Instead, the exchange announced a matching $20 million bounty to incentivize leads that could help identify and prosecute the attackers. Critics argue the company’s response was sluggish and disorganized. 

According to plaintiffs, users weren’t notified promptly, and Coinbase failed to offer identity protection or actionable steps in the immediate aftermath. The lawsuits collectively describe Coinbase’s breach response as “fragmented and uncoordinated,” with one suit, led by Paul Bender in New York, citing the absence of even basic data protection protocols.

On May 19, Bloomberg reported that Coinbase is under investigation by the U.S. Department of Justice following the cyberattack. Coinbase has reported the incident to law enforcement and is cooperating fully, with Chief Legal Officer Paul Grewal expressing support for criminal charges against the attackers. 

Further class actions filed by users in Maine and Texas claim Coinbase had grossly underinvested in cybersecurity infrastructure, did not properly train its employees, and failed to monitor its outsourced support staff. These allegations were echoed in a separate California lawsuit by Rosemary Ortiz, who argued the company unnecessarily retained outdated personal data that should have been deleted or encrypted—thereby amplifying the breach’s damage. Plaintiffs from all suits emphasized that while direct financial harm has not yet been reported, the leaked data places users at ongoing risk, forcing them to bear the cost of continuous credit monitoring and financial protection.

Coinbase acknowledged the incident in a public statement, pledging “full transparency,” and disclosed to the U.S. Securities and Exchange Commission that it has set aside between $180 million and $400 million to cover possible reimbursements and mitigation efforts. 

As part of its remediation plan, Coinbase has terminated the involved Indian contractors and referred them for criminal prosecution. The firm has also implemented enhanced ID verification checks, scam-awareness prompts, and bolstered its internal systems to detect insider threats more efficiently. Plans are underway to open a new, U.S.-based customer support center.

Simultaneously, a separate federal class-action lawsuit was filed in Illinois on May 13, targeting Coinbase’s biometric data practices. Plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan accuse the company of violating the state’s Biometric Information Privacy Act (BIPA) through its Know Your Customer (KYC) process. The suit alleges Coinbase collected users’ facial biometrics from selfies and government-issued IDs without obtaining explicit written consent, as required under BIPA. Furthermore, the company allegedly failed to notify users about how their data would be stored, shared, or ultimately destroyed.

The biometric data was reportedly processed by third-party providers—Jumio, Onfido, Au10tix, and Solaris—acting under Coinbase’s direction to extract and analyze facial geometry. Plaintiffs claim Coinbase facilitated indiscriminate biometric harvesting and unlawfully shared this data without proper user authorization or public disclosure. The lawsuit seeks statutory damages of $5,000 for each intentional or reckless violation and $1,000 for each negligent breach, alongside court orders to change Coinbase’s data handling policies and cover litigation costs.

More than 10,000 users have filed arbitration claims against Coinbase over the biometric issue through the American Arbitration Association. Many of these cases were dismissed after Coinbase allegedly refused to pay required arbitration fees, further escalating criticism of the platform’s handling of user grievances. As legal battles mount on multiple fronts, the exchange now faces significant reputational and financial exposure amid intensifying regulatory and user backlash.

This article has been refined and enhanced by ChatGPT.