The prominent US-based cryptocurrency exchange, Coinbase, finds itself in the middle of a major data breach impacting thousands of its customers. According to official statements, data from 69,461 users were leaked due to a bribery incident. The exposed data has been reportedly used for fraud and identity theft. Following the disclosure, Coinbase faced intense criticism regarding its public information process and the legal measures it took in response.
Data Breach Threatens Customer Security
Information shared by Coinbase with the Maine Attorney General’s office indicates that the breach resulted from an external customer service team. These individuals inappropriately passed client data obtained from KYC processes to malicious parties, revealing highly sensitive information like names, contact details, social security numbers, and identification documents.
The company reported that these details were utilized in social engineering attacks, allowing hackers to access some customers’ digital wallets and pilfer their assets. Hackers demanded a sum of 20 million dollars, which Coinbase refused to pay. Although some affected customers were provided identity protection services, trust was significantly undermined. The number of affected users represents about 1% of the Coinbase customer base, including 217 individuals in Maine.
Armstrong Criticizes KYC Procedures
As the situation unfolded, Brian Armstrong, Coinbase’s CEO, targeted KYC procedures in his social media comments. He emphasized these data collection processes are legally required yet burdensome for both customers and companies. Armstrong pointed out that the data held are not effective in preventing illegal activities.
He argued that KYC and anti-money laundering laws, designed based on the conditions of the 1970s, are obsolete in today’s digital world. Collecting personal data within companies not only raises the risk of cyber-attacks but introduces security vulnerabilities through human error. The requirement for cryptocurrency users to share personal information reignited discussions across the industry.
Furthermore, Coinbase’s timing of the data breach disclosure drew attention. The company announced it on May 14 but concurrently revised user agreements on May 15, restricting class-action lawsuits to New York, sparking manipulation accusations. Researcher Molly White noted that numerous class-action lawsuits were filed immediately after the breach announcement. Coinbase, however, denied these allegations, asserting that the changes were communicated since April 11.
