Coinbase Faces Mounting Legal Crisis After Biometric and Data Breach Lawsuits

Coinbase faced a mounting legal crisis after fresh lawsuits targeted its biometric practices and recent data breach disclosure.

Coinbase is now facing a mounting legal crisis as fresh lawsuits targeted its biometric practices and recent data breach disclosure.

On May 13, three Illinois residents—Scott Bernstein, Gina Greeder, and James Lonergan—filed a class-action lawsuit in the U.S. District Court for the Northern District of Illinois against Coinbase (NASDAQ:COIN) over violations of the state’s Biometric Information Privacy Act (BIPA).

The lawsuit, no. 1:23-cv-03100, arose from Coinbase's Know Your Customer (KYC) process, which the plaintiffs said collected biometric identifiers for facial recognition technology without proper disclosure or consent.

As part of Coinbase's identity verification, users were required to upload a selfie and a government-issued ID, which a third-party software would process to extract facial geometry, according to the complaint. This amounted to a "wholesale collection" of faceprints, the plaintiffs asserted.

Coinbase Sued Over Facial Recognition, Biometric Violations

On May 13, Illinois residents Scott Bernstein, Gina Greeder, and James Lonergan sued Coinbase (NASDAQ:COIN) in federal court for allegedly violating the Biometric Information Privacy Act (BIPA).

The lawsuit, filed with the U.S. District Court for the Northern District of Illinois, focused on Coinbase's identity verification process and its handling of biometric data.

According to the complaint, Coinbase collects selfies and government-issued IDs from users as part of KYC procedures. This data is reportedly sent to third-party companies like Jumio, Onfido, Au10tix, and Solaris, who use it to create and store unique identifiers like facial geometry.

However, plaintiffs maintained that Coinbase failed to disclose this practice to users or obtain their written consent, despite being obligated to do so under BIPA.

"Coinbase does not publicly provide a retention schedule or destruction policy for biometric identifiers," the filing stated.

Moreover, the plaintiffs said that Coinbase refused to pay arbitration fees when over 10,000 users filed claims with the American Arbitration Association, leading to the automatic dismissal of those cases.

The lawsuit also highlighted the potential financial impact, noting that each willful BIPA violation carries a penalty of up to $5,000, while negligent violations could incur a minimum penalty of $1,000.

Data Breach Fallout Triggers Second Round of Lawsuits

The lawsuit concerning biometric violations came just two days before Coinbase disclosed a separate breach involving bribed employees and a $20 million extortion attempt.

In a May 15 disclosure, Coinbase revealed that cybercriminals had bribed several of its customer service agents in India to gain access to internal systems over a period of several months.

The attackers reportedly stole user data including names, email addresses, Social Security numbers, driver’s license details, and partial banking information—affecting about 1.9 million users.

Following this disclosure, at least six separate lawsuits were filed between May 15 and May 16, accusing Coinbase of failing to protect sensitive information and responding inadequately to the breach.

One complaint, filed by plaintiff Paul Bender in New York, focused on Coinbase's failure to "implement and maintain reasonable security safeguards."

Bender's suit described Coinbase's response as "inadequate, fragmented, and delayed," adding that affected users were not promptly informed or offered proper support.

The lawsuit also mentioned Coinbase's decision to cover the INDIA customer support agents' bribery with a $500,000 grant program for Indian women in STEM, which Bender's complaint described as a "PR stunt."

Calls for Audits, Data Deletion, and Accountability

A fifth lawsuit filed in California took a more aggressive stance, requesting that Coinbase purge all sensitive user data and hire third-party auditors to test its systems. Another case accused the exchange of unjust enrichment, claiming it failed to invest enough in cybersecurity.

Coinbase has not yet publicly responded to the new lawsuits. Instead, it directed media outlets to a blog post addressing the data breach, in which it confirmed refusing the $20 million ransom and pledged to reimburse impacted users.

In a U.S. Securities and Exchange Commission filing, Coinbase estimated reimbursement costs could range between $180 million and $400 million.

The company also confirmed that it fired a group of India-based customer service agents allegedly involved in social engineering attacks linked to the breach.

COIN Price Swings as Legal Exposure Rises

Following the May 15 disclosure, Coinbase (NASDAQ:COIN) stock fell 7%, reaching $244. It rebounded 9% the next day to close at $266, according to Google Finance.

The lawsuits come as Coinbase continues to be investigated by the U.S. Securities and Exchange Commission over 2021 user metrics.

The convergence of biometric suits and data breach fallout could create long-term