Coinbase Says Data Breach Could Cost Up to $400 Million

Popular cryptocurrency exchange platform Coinbase said a recent data security incident it suffered could cost the company upto $400 million.

 

With over 100 million users, American cryptocurrency exchange Coinbase Global is the largest US-based crypto exchange as well as the world’s biggest bitcoin custodian, as of 2024.

 

In a filing with the U.S. Securities and Exchange Commission (SEC), Coinbase said that it received an email on May 11 from a threat actor claiming to have breached its internal network and stolen customer data, along with internal documentation related to customer service and account management systems.

 

The company immediately launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident.

 

“The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities. These instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months. 

 

“Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information,” Coinbase said.

 

The compromised data included names, addresses, phone numbers, emails, masked Social Security, masked bank-account numbers and some bank account identifiers, government‑ID images, Coinbase account data and corporate data including documents, training material, and communications available to support agents.

 

Coinbase stated that the threat actors demanded a $20 million ransom to prevent the public release of stolen data. However, the company has declined to pay and is actively collaborating with law enforcement to resolve the matter promptly.

 

“Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack,” the company said in a blogpost.

 

Although Coinbase has not observed any significant operational impact from the incident, it anticipates incurring between $180 million and $400 million in remediation expenses and voluntary reimbursements to affected customers.