On May 11, Coinbase suffered a social engineering attack targeting their outsourced customer support department. Their SEC Material Cybersecurity Incident disclosure on May 15 revealed attackers obtained enough personal information to launch sucessful fake customer service attacks against Coinbase customers.

The Wall Street Journal reported that the breach and subsequent customer support scams affected up to 97,000 customers, and the expected remediation costs including customer reimbursement and a bounty will run $180-400 million.

Armstrong’s Response

Around noon on May 15, Coinbase CEO Brian Armstrong went to Twitter with a video statement. As an incident response veteran, I was impressed.

• He described the holes in his outsourced customer service systems, and described how, while the company had in fact taken objectively reasonable security steps to defend against customer support fraud, attackers had been persistant and found reps willing to sell information.
• He stated that Coinbase was changing its customer support regime and that all the people responsible had been dismissed.
• He said that Coinbase had conducted victim notification, and then he personally committed to reimburse the customers for any losses due to the attack.
• He announced that Coinbase had received a ransom demand for $20 million, and that he refused to pay it.
• And finally, he announced a $20 million reward for innformation leading to the arrest and conviction of the perpetrators.

Why This Works

Armstrong avoided empty platitudes (like, “Your security is important to us”) and instead demonstrated concrete commitment to security through action. As security communications expert Melanie Ensign noted, “Two things about the substance of what he said make it work: They’re reimbursing customers, and they’re going after the attacker(s). If they weren’t able or willing to say those things, the message would have been weak and the video would have sucked.”

By announcing the substantial reward, Coinbase is investing in improved security for the entire industry. If claimed, we’ll likely gain valuable intelligence on attack methods and increase public awareness about scams.

Broader Implications

This incident highlights two critical lessons for executives and boards:

1. Customer service fraud is a prime vector used by criminal groups
2. When breaches occur, companies must back security claims with meaningful action - and that starts with the CEO being transparent.