Coinbase Says Cybercriminals Stole Customer Data, Sought Ransom — WSJ
By Colin Kellaher and Vicky Ge HuangCoinbase Global said Thursday that it has refused to pay a $20 million ransom demand from cybercriminals who bribed the company's overseas customer support agents to steal sensitive user data.The cryptocurrency exchange estimated that the incident could cost from $180 million to $400 million, between fixing the underlying issues and reimbursing customers, according to a regulatory filing.The disclosure sent the company's stock down more than 7% on Thursday. The data breach is a setback for the largest U.S. crypto exchange, which has cultivated a reputation for safety and largely avoided the type of attacks and thefts that have crippled many overseas exchanges.The company said it received an email on Sunday from an unknown party who claimed to have obtained information about certain customer accounts, adding that the threat actor appears to have obtained the information by paying multiple contractors or employees working in support roles outside the U.S.Coinbase said it determined that the email was credible, and that while customer funds weren't accessed, the stolen data included personal information such as names, addresses, phone numbers and email addresses; masked Social Security and bank-account numbers; government--ID images such as driver's licenses and passports; and account data such as balance snapshots and transaction histories.Tens of thousands of users were potentially affected. The company said less than 1% of Coinbase's monthly transacting users had their data pulled. That could be as many as 97,000 customers, based on Coinbase's latest usage disclosures.Coinbase said it is working with law enforcement to investigate the incident, adding that it is opening a new support hub in the U.S. and taking other measures to harden its defenses. It pledged to reimburse users who were tricked into sending funds to the attackers. The company also said it fired the insiders who cooperated with the hackers and will press criminal charges against them.In a video, Coinbase CEO Brian Armstrong said the company was refusing to pay the $20 million bitcoin ransom demand and setting up a $20 million reward fund for information that could lead to the arrest and conviction of the attackers."For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice," Armstrong said in the video.The breach came as Coinbase is slated to join the S&P 500 next week, a development celebrated by crypto proponents as a key step toward the mainstream adoption of digital assets. Coinbase stock surged 24% on Tuesday after news of the coming index inclusion.Separately, Coinbase confirmed Thursday that the Securities and Exchange Commission has been investigating whether the company misstated in past disclosures the number of its verified users. That metric includes anyone who verified their email address or phone number with Coinbase, and may overstate the number of unique customers, the company said."This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public," Paul Grewal, Coinbase's chief legal officer, said in a statement.An SEC spokesman declined to comment. The New York Times earlier reported on theninvestigation.Write to Colin Kellaher at [email protected] and Vicky Ge Huang at [email protected]