Incident Types: The types of cybersecurity incidents that have occurred include Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $804.50 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an law enforcement notified with yes, and communication strategy with notified affected customers, and incident response plan activated with yes (coinbase notified users/regulators, cut ties with involved parties), and containment measures with termination of 226 taskus employees, containment measures with severed ties with overseas agents, containment measures with tightened access controls, and remediation measures with strengthened global security protocols, remediation measures with enhanced training programs, and communication strategy with notified affected users, communication strategy with regulatory disclosures, communication strategy with public statements (limited details), and enhanced monitoring with yes (post-breach), and third party assistance with managed detection and response (mdr) providers, third party assistance with cybersecurity vendors (e.g., eset for encryption), and containment measures with isolation of compromised systems, containment measures with revocation of stolen credentials, containment measures with deployment of edr/xdr tools, and remediation measures with patch management, remediation measures with encryption of data at rest/in transit (aes-256), remediation measures with multi-factor authentication (mfa) enforcement, remediation measures with security awareness training, and recovery measures with data restoration from backups, recovery measures with system hardening, recovery measures with post-breach audits, and communication strategy with regulatory notifications (gdpr, etc.), communication strategy with customer advisories, communication strategy with transparency reports, and network segmentation with recommended as part of layered defense, and enhanced monitoring with via edr/xdr or mdr services, and and and containment measures with termination of compromised employees, containment measures with securing customer support tools, and remediation measures with offering $20m bounty for perpetrator information, remediation measures with reimbursing victims of related scams, remediation measures with enhanced monitoring for phishing attempts, and communication strategy with public blog post, communication strategy with sec 8-k filing, communication strategy with customer advisories warning of imposter scams, and and incident response plan activated with yes, and law enforcement notified with yes (u.s. justice department, sec), and containment measures with termination of involved employees, containment measures with enhanced security measures, and remediation measures with tracing stolen funds, remediation measures with flagging large withdrawals, remediation measures with $20m bounty for hacker information, remediation measures with reimbursement for scammed users, and communication strategy with breach notification letters to 69,461 victims, communication strategy with public disclosure via sec filing, communication strategy with media statements, and enhanced monitoring with yes (withdrawal monitoring, suspicious activity detection), and and containment measures with warning customers about social engineering risks, and remediation measures with bounty program for attacker information ($200m), and communication strategy with public disclosure, communication strategy with customer advisories on social engineering risks..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Customer Service Representatives, Insider Threat, TaskUs Indore service center (India), Stolen Credentials (22% of breaches)Phishing (16% of breaches)Infostealer Malware (75% of 3.2B credentials in 2024)Unpatched VulnerabilitiesThird-Party Compromises, Customer support agents (bribed insiders in India), Bribed overseas support agents (India) and Bribed overseas customer service support agents.

Average Financial Loss: The average financial loss per incident is $100.56 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information, Banking Data, Account Details, , Names, Emails, Partial Financial Information, Ssn, Transaction History, Id Document Scans, , Names, Bank Account Numbers, Routing Numbers, , Personally Identifiable Information (Pii), Financial Data, Account Credentials, , Pii, Financial Records, Intellectual Property, M&A Plans, Customer Data, Credentials (Usernames/Passwords), , Pii (Personally Identifiable Information), Financial Data (Masked), Government-Issued Ids, Transaction Histories, Corporate Data, , Personally Identifiable Information (Pii), Financial Data, Account Information, , Personal Identifiable Information (Pii), Contact Information, Financial Data (Masked), Government Id Images, Corporate Data and .

Incident Response Plan: The company's incident response plan is described as Yes, .

Third-Party Assistance: The company involves third-party assistance in incident response through Managed Detection and Response (MDR) Providers, Cybersecurity Vendors (e.g., ESET for encryption), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: strengthened global security protocols, enhanced training programs, , Patch Management, Encryption of Data at Rest/In Transit (AES-256), Multi-Factor Authentication (MFA) Enforcement, Security Awareness Training, , Offering $20M bounty for perpetrator information, Reimbursing victims of related scams, Enhanced monitoring for phishing attempts, , Tracing stolen funds, Flagging large withdrawals, $20M bounty for hacker information, Reimbursement for scammed users, , Bounty program for attacker information ($200M), .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by termination of 226 taskus employees, severed ties with overseas agents, tightened access controls, , isolation of compromised systems, revocation of stolen credentials, deployment of edr/xdr tools, , termination of compromised employees, securing customer support tools, , termination of involved employees, enhanced security measures, , warning customers about social engineering risks and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Data Restoration from Backups, System Hardening, Post-Breach Audits, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through class-action lawsuits (e.g., Greenbaum Olbrantz), consolidation of hack-related complaints, , Potential lawsuits from affected customers/partners, U.S. Justice Department investigation, SEC filing, .

Key Lessons Learned: The key lessons learned from past incidents are High vulnerability of crypto executives and concern for their safetyrisks of outsourcing sensitive operations,need for stricter insider threat monitoring,importance of transparency in breach disclosures,consequences of delayed detection (breach started in September 2024 but disclosed in May 2025)Encryption is critical but underutilized (only 87% of businesses increasing investment in 2024).,Multi-layered security (MFA, EDR/XDR, MDR) is essential to counter evolving threats.,Remote/hybrid work expands the attack surface; endpoint security must be prioritized.,Third-party risks and insider threats require continuous monitoring.,Proactive threat hunting and real-time response reduce breach impact.,Compliance with regulations (GDPR, NIS2, etc.) is non-negotiable and tied to cyber insurance eligibility.Vulnerability of insider threats, especially in overseas operations; importance of monitoring for bribery/social engineering risks among support agents; need for robust customer education on phishing scams post-breach.Importance of strengthening insider threat detection and access governance, especially in outsourced and globally distributed operations.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Enforce MFA and strong access controls to mitigate credential abuse., Ensure compliance with sector-specific regulations (GDPR, HIPAA, etc.)., conduct regular audits of outsourced operations, enhance employee monitoring (especially in high-risk regions), Deploy EDR/XDR solutions for cross-layer detection and response., Evaluate cyber insurance policies to ensure coverage aligns with risk exposure., Implement AES-256 encryption for data at rest and in transit (FDE, email, cloud, removable media)., Develop and test an incident response plan with clear communication protocols., Adopt MDR services if in-house resources are limited., invest in insider threat detection tools, improve incident response transparency, revaluate outsourcing partnerships for critical data handling, Conduct regular vulnerability assessments and patch management., Train employees on phishing, social engineering, and secure remote work practices., Monitor dark web for stolen credentials/data (e.g., via infostealer logs). and implement stricter access controls for third-party vendors.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Reuters, and Source: BleepingComputer, and Source: Maine Office of the Attorney General, and Source: Fortune, and Source: Class-action complaint by Greenbaum Olbrantz (amended filing)Date Accessed: 2025-02, and Source: Coinbase regulatory filings, and Source: IBM Cost of a Data Breach Report 2025, and Source: Verizon Data Breach Investigations Report (DBIR), and Source: Cisco Consumer Privacy Survey, and Source: ESET Encryption Solutions, and Source: Coinbase Blog PostDate Accessed: 2023-05-11, and Source: Coinbase SEC 8-K FilingDate Accessed: 2023-05-11, and Source: Fortune MagazineUrl: https://fortune.comDate Accessed: 2023-05-11, and Source: The Block (Cryptocurrency News)Url: https://www.theblock.coDate Accessed: 2023-05-11, and Source: Bloomberg, and Source: Coinbase SEC FilingDate Accessed: May 2025, and Source: Coinbase Breach Notification LettersDate Accessed: May 2025, and Source: SiliconANGLE, and Source: Swimlane Lead Security Automation Architect Nick Tausek.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notified affected customers, Notified Affected Users, Regulatory Disclosures, Public Statements (Limited Details), Regulatory Notifications (Gdpr, Etc.), Customer Advisories, Transparency Reports, Public Blog Post, Sec 8-K Filing, Customer Advisories Warning Of Imposter Scams, Breach Notification Letters To 69,461 Victims, Public Disclosure Via Sec Filing, Media Statements, Public Disclosure and Customer Advisories On Social Engineering Risks.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Notified nearly 70,000 customers, Coinbase Notified Affected Users And Regulators, Taskus Issued Statements On Security Enhancements, Coinbase Alerted Impacted Customers About The Breach And Potential Fraud Risks, , Businesses Should Audit Encryption Practices And Invest In Aes-256 Solutions., Regulators Emphasize Compliance With Dora, Nis2, Gdpr, Etc., To Avoid Fines., Cyber Insurance Providers May Deny Claims Without Proof Of Encryption/Mfa., Customers Demand Transparency Post-Breach; 94% Would Avoid Non-Compliant Companies., Monitor Financial Accounts For Fraud Post-Breach., Enable Mfa On All Personal/Commercial Accounts., Report Suspicious Emails (Phishing) To It Teams., Use Password Managers To Mitigate Credential Theft Risks., , Warnings issued about imposter scams targeting customers; commitment to reimburse victims of related fraud., Public advisory to expect imposters posing as Coinbase employees; reminder that Coinbase will never ask for passwords, 2FA codes, or fund transfers., Breach notifications to 69,461 affected individuals, SEC disclosure, Sample breach notification letters warning of social engineering risks; reimbursement pledge for scammed users, Warning About Potential Social Engineering Attacks, Notification Of Data Breach And Risks Of Follow-Up Attacks and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as yes (post-breach), Managed Detection And Response (Mdr) Providers, Cybersecurity Vendors (E.G., Eset For Encryption), , Via EDR/XDR or MDR Services, , Yes (withdrawal monitoring, suspicious activity detection).

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Termination Of Involved Personnel, Strengthened Security Protocols And Training, Severed Ties With High-Risk Vendors, Legal Defense Against Lawsuits, , Mandate Aes-256 Encryption For All Sensitive Data., Deploy Edr/Xdr And Mdr For 24/7 Monitoring., Enforce Mfa And Password Managers Enterprise-Wide., Conduct Regular Red Team Exercises To Test Defenses., Implement Zero-Trust Architecture Principles., Partner With Threat Intelligence Providers To Track Stolen Data., Review Cyber Insurance Policies Annually., , Termination Of Compromised Employees, Enhanced Monitoring And Access Controls For Support Tools, $20M Bounty For Perpetrator Information, Customer Reimbursement Policy For Scam Victims, , Termination Of Involved Employees, Enhanced Security Measures, $20M Bounty Program, Withdrawal Monitoring, , Bounty Program For Attacker Information, Customer Notifications And Advisories, .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was $20 million.

Last Attacking Group: The attacking group in the last incident were an Unknown, Unknown, Ashita Mishra (TaskUs employee)unnamed accomplices (TaskUs employees, including team leaders)criminal collective 'the Comm' (teenagers/young adults), Cybercriminal Groups (Ransomware Operators)State-Sponsored Actors (Implied)Insider Threats (Malicious/Accidental)Initial Access Brokers (IABs)Infostealer Malware Operators, Unknown threat actor (extortionist), Cybercriminals (allegedly based in India) and Unknown (Bribed Insiders)External Attackers.

Most Recent Incident Detected: The most recent incident detected was on January 2025.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on May 2025.

Highest Financial Loss: The highest financial loss from an incident was $4.5 million (average cost per breach in 2025; potential for higher losses depending on data type).

Most Significant Data Compromised: The most significant data compromised in an incident were Names, Dates of birth, Addresses, Nationalities, Government ID numbers, Some banking data, Account details, , names, emails, partial financial information, SSN, transaction history, ID document scans, , names, bank account numbers, routing numbers, , Social Security numbers, bank account information, customer account details, , Personally Identifiable Information (PII), Intellectual Property (IP), Financial Data, Mergers & Acquisitions (M&A) Plans, Customer Data, Sensitive Corporate Data, , Names, Addresses, Phone numbers, Email addresses, Masked last 4 digits of SSN/tax IDs, Encoded bank account numbers, Government ID images (e.g., driver’s licenses), Transaction histories, Limited corporate data, , Photos of passports, Government IDs, Names, Dates of birth, Last four digits of Social Security numbers, Bank account numbers, Account information (balances, transaction history), and .

Most Significant System Affected: The most significant system affected in an incident were TaskUs internal systems (Indore, India service center)Coinbase customer support databases and Customer support tools and Customer Support Systems.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was managed detection and response (mdr) providers, cybersecurity vendors (e.g., eset for encryption), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were termination of 226 TaskUs employeessevered ties with overseas agentstightened access controls, Isolation of Compromised SystemsRevocation of Stolen CredentialsDeployment of EDR/XDR Tools, Termination of compromised employeesSecuring customer support tools, Termination of involved employeesEnhanced security measures and Warning customers about social engineering risks.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were transaction history, names, Account information (balances, transaction history), Customer Data, Photos of passports, ID document scans, customer account details, Encoded bank account numbers, Dates of birth, Transaction histories, routing numbers, bank account information, Government IDs, Government ID images (e.g., driver’s licenses), Addresses, Sensitive Corporate Data, Financial Data, Intellectual Property (IP), Mergers & Acquisitions (M&A) Plans, partial financial information, emails, Phone numbers, Limited corporate data, SSN, Government ID numbers, Some banking data, Bank account numbers, Masked last 4 digits of SSN/tax IDs, Nationalities, Names, bank account numbers, Social Security numbers, Personally Identifiable Information (PII), Account details, Last four digits of Social Security numbers and Email addresses.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.3B.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was $200 million.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was No.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was class-action lawsuits (e.g., Greenbaum Olbrantz), consolidation of hack-related complaints, , Potential lawsuits from affected customers/partners, U.S. Justice Department investigation, SEC filing, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Compliance with regulations (GDPR, NIS2, etc.) is non-negotiable and tied to cyber insurance eligibility., Vulnerability of insider threats, especially in overseas operations; importance of monitoring for bribery/social engineering risks among support agents; need for robust customer education on phishing scams post-breach., Importance of strengthening insider threat detection and access governance, especially in outsourced and globally distributed operations.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Strengthen insider threat detection programs, particularly for overseas employees with access to sensitive data., conduct regular audits of outsourced operations, enhance employee monitoring (especially in high-risk regions), Evaluate cyber insurance policies to ensure coverage aligns with risk exposure., Implement stricter access governance for third-party vendors, revaluate outsourcing partnerships for critical data handling, Train employees on phishing, social engineering, and secure remote work practices., Enhance insider threat detection programs, Ensure compliance with sector-specific regulations (GDPR, HIPAA, etc.)., Deploy EDR/XDR solutions for cross-layer detection and response., Implement AES-256 encryption for data at rest and in transit (FDE, email, cloud, removable media)., Implement stricter access controls and logging for customer support tools., Monitor dark web for exposed data, invest in insider threat detection tools, improve incident response transparency, Monitor dark web for stolen credentials/data (e.g., via infostealer logs)., Proactively communicate with customers about potential scams following a breach., Enforce MFA and strong access controls to mitigate credential abuse., Adopt MDR services if in-house resources are limited., Conduct regular vulnerability assessments and patch management., Enhance employee training on bribery and social engineering tactics., Consider proactive bounty programs to incentivize threat intelligence sharing., implement stricter access controls for third-party vendors, Conduct regular audits of customer support systems, Develop and test an incident response plan with clear communication protocols. and Invest in employee training to prevent bribery and social engineering.

Most Recent Source: The most recent source of information about an incident are SiliconANGLE, IBM Cost of a Data Breach Report 2025, Maine Office of the Attorney General, ESET Encryption Solutions, BleepingComputer, Coinbase regulatory filings, The Block (Cryptocurrency News), Verizon Data Breach Investigations Report (DBIR), Reuters, Class-action complaint by Greenbaum Olbrantz (amended filing), Fortune Magazine, Coinbase SEC Filing, Bloomberg, Coinbase Breach Notification Letters, Cisco Consumer Privacy Survey, Swimlane Lead Security Automation Architect Nick Tausek, Coinbase Blog Post, Fortune and Coinbase SEC 8-K Filing.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://fortune.com, https://www.theblock.co .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Coinbase notified affected users and regulators, TaskUs issued statements on security enhancements, Businesses should audit encryption practices and invest in AES-256 solutions., Regulators emphasize compliance with DORA, NIS2, GDPR, etc., to avoid fines., Cyber insurance providers may deny claims without proof of encryption/MFA., Customers demand transparency post-breach; 94% would avoid non-compliant companies., Warnings issued about imposter scams targeting customers; commitment to reimburse victims of related fraud., Breach notifications to 69,461 affected individuals, SEC disclosure, Warning about potential social engineering attacks, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Notified nearly 70,000 customers, Coinbase alerted impacted customers about the breach and potential fraud risks, Monitor financial accounts for fraud post-breach.Enable MFA on all personal/commercial accounts.Report suspicious emails (phishing) to IT teams.Use password managers to mitigate credential theft risks., Public advisory to expect imposters posing as Coinbase employees; reminder that Coinbase will never ask for passwords, 2FA codes, or fund transfers., Sample breach notification letters warning of social engineering risks; reimbursement pledge for scammed users and Notification of data breach and risks of follow-up attacks.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an TaskUs Indore service center (India), Bribed overseas customer service support agents, Bribed overseas support agents (India), Customer support agents (bribed insiders in India), Customer Service Representatives and Insider Threat.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was potentially months (breach started in September 2024, detected in January 2025).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insider Threat, Insider Threat, insufficient oversight of outsourced employeeslack of monitoring for data exfiltration (e.g., screenshots)cultural/compliance gaps in offshore operationsdelayed breach detection (September 2024 to January 2025)conspiracy involving multiple employees (including managers), Lack of Encryption (Data at Rest/In Transit)Weak Credential Hygiene (No MFA, Password Reuse)Unpatched SoftwareInsufficient Endpoint ProtectionPoor Employee Training (Phishing Susceptibility)Over-Reliance on Perimeter Security, Insufficient safeguards against insider threats (bribery vulnerability)Lack of real-time monitoring for unauthorized data copying in support toolsGeographic risk concentration (overseas support agents targeted), Insider threat (bribed support agents)Inadequate access controls/monitoring for support personnel, Inadequate insider threat detectionWeak access controls for third-party support agentsLack of oversight for overseas operations.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was termination of involved personnelstrengthened security protocols and trainingsevered ties with high-risk vendorslegal defense against lawsuits, Mandate AES-256 encryption for all sensitive data.Deploy EDR/XDR and MDR for 24/7 monitoring.Enforce MFA and password managers enterprise-wide.Conduct regular red team exercises to test defenses.Implement zero-trust architecture principles.Partner with threat intelligence providers to track stolen data.Review cyber insurance policies annually., Termination of compromised employeesEnhanced monitoring and access controls for support tools$20M bounty for perpetrator informationCustomer reimbursement policy for scam victims, Termination of involved employeesEnhanced security measures$20M bounty programWithdrawal monitoring, Bounty program for attacker informationCustomer notifications and advisories.