Between May 15 and May 16, at least six lawsuits were filed, accusing Coinbase of failing to secure personal data and mishandling the aftermath of the breach.
In a complaint filed in a New York federal court on May 16, plaintiff Paul Bender alleged that Coinbase failed to adequately protect the sensitive personal information of millions of users. A day earlier, on May 15, Coinbase had disclosed that it received a $20 million extortion attempt after a group of cybercriminals bribed multiple support agents to access internal systems and steal user data.
The stolen information included names, addresses, phone numbers, emails, the last four digits of Social Security numbers, some banking information, driver’s licenses, passports, and account data such as balance snapshots and transaction histories.
The plaintiff accused Coinbase of failing to implement and maintain reasonable security measures, exposing users to “serious and ongoing risks.” The complaint also stated that Coinbase’s response to the incident was “delayed, inconsistent, and inadequate.”
“Users were not promptly or fully informed of the incident. Coinbase failed to take concrete steps to mitigate harm, did not provide identity protection services, or offer clear guidance to affected individuals,” the complaint said.
The plaintiffs warned that users could face a high risk of identity theft and financial fraud, with long-term or potentially irreversible consequences due to the permanent exposure of sensitive data.
Multiple lawsuits with similar allegations
Two other lawsuits filed in New York federal court raised similar accusations. A fourth lawsuit added a charge of unjust enrichment, arguing that Coinbase failed to adequately invest in its data security infrastructure. All of these lawsuits seek damages and call for the court to require Coinbase to implement measures to better protect user data.
Meanwhile, another lawsuit filed in California on May 15 also made similar allegations but additionally demanded that Coinbase delete all sensitive data related to the plaintiffs and hire an independent third-party auditor to evaluate its security systems.
