Coinbase Faces Legal Challenges Over Biometric Data and Hacking Incident
U.S.-based cryptocurrency exchange Coinbase is in deep legal trouble after being hit with multiple lawsuits related to a massive data breach and the commercial collection of biometric data from users.
On May 13, a federal lawsuit claiming Coinbase violated Illinois’ Biometric Information Privacy Act (BIPA) was filed in court. According to the plaintiffs, the exchange collected and stored the facial biometrics of users during the ID verification process without proper notice or written consent. The users upload either a government ID or a selfie. These images are then sent to third-party software like Jumio, Onfido, and others for facial verification. As per the complaint, users were never informed on how their data was used, stored, and deleted. Moreover, they were never given an opt-out option.
Around the same time, at least six other lawsuits were launched between May 15 and May 16 after an attack on Coinbase. Hackers who allegedly compensated foreign customer support staff are thought to have accessed the firm’s internal systems, making away with highly sensitive personal data, including names, addresses, Social Security numbers and banking information. Coinbase is accused of poor security practices and an inadequate response to the breach in lawsuits.
A federal lawsuit in New York has plaintiff Paul Bender accusing Coinbase of not having reasonable measures in place and not notifying users quickly enough or offering identity monitoring. Among other allegations, the company was accused of “unjust enrichment” after reducing spending on cybersecurity while profiting from users. The suit in California seeks an order to delete sensitive user data and hire a third-party security auditor.
In a blog, Coinbase mentions it refused to pay the hackers the $20 million ransom amount; however, the company has not yet made a public statement on the lawsuits. Rather, it promised to establish a reward fund of $20 million to help find who is responsible and compensate users with losses from phishing attacks caused by the breach.
As per a filing with the Securities and Exchange Commission (SEC), the hack may lead to a loss of up to $180–$400 million for Coinbase. The firm admitted that the robbed data might still be available online. Coinbase may have briefly surged in shares after being included in the S&P 500, but its reputation is damaged. Coinbase’s stock price fell after news of the breach but recovered to close at $266 on May 16. The company has reportedly laid off several Indian support agents as a result of the incident and is currently cooperating with law enforcement and regulators. As lawsuits are piling up and regulatory scrutiny intensifies, Coinbase is under increasing pressure to improve its data protection practices and regain public trust.
