In May 2025, Coinbase disclosed that attackers bribed overseas customer-support contractors to steal data on roughly 70,000 customers, then demanded a $20 million ransom. Coinbase refused and estimated remediation at $180–400 million. The breach didn't need a zero-day — it needed a support agent with too much access and a price. If your business runs a support desk or a BPO in India, this is the threat model you're actually exposed to. Here's a 12-point insider-threat checklist you can run this week.
~70,000
Customers whose data was stolen
$20M
Ransom demanded (Coinbase refused)
$180–400M
Estimated remediation cost
0
Zero-days used — it was bribery
## The Answer in 60 Words
Insider threats from support teams come down to over-broad access. The fix isn't one tool — it's scoping each agent to the minimum data they need, masking sensitive fields by default, logging every record view, alerting on bulk access, and vetting contractors. The Coinbase attackers bribed agents who could see full customer records. Limit what an agent can see, and a bribe buys the attacker far less.
## Why This Matters Now
Coinbase first [noticed unusual activity from some support reps as far back as January 2025](https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists). Attackers contacted overseas support contractors and bribed at least one into handing over access to internal support tools. The stolen data included names, emails, phone numbers, masked SSNs and bank numbers, government-ID images, and account history. On May 11 the attackers demanded $20M; on May 15 CEO Brian Armstrong publicly refused. For India — where a large share of global support and BPO work runs — the lesson lands hard: the weakest link is rarely the firewall. It's the human with a support console.
## What an Insider Threat Actually Looks Like
An insider threat is misuse of legitimate access — by an employee, a contractor, or a vendor — to steal or expose data. It splits into three types: the malicious insider (bribed or disgruntled), the negligent insider (clicks a phishing link, reuses a password), and the compromised insider (credentials stolen without their knowledge). The Coinbase case was malicious-by-bribery. Your controls have to assume all three, because the same access scoping that limits a bribed agent also limits a phished one.
💰
Malicious (bribed)
An agent is paid to pull records. Defence: least-privilege access, masking, bulk-access alerts, so even a willing insider can exfiltrate little before detection.
🎣
Negligent (phished)
An agent falls for social engineering. Defence: MFA, phishing-resistant auth, and the same access limits — a phished account can only reach what its owner could.
🕵️
Compromised (stolen creds)
Credentials taken silently. Defence: anomaly detection on access patterns, session monitoring, and IP/device binding for support tools.
🏢
Third-party / BPO
The riskiest, because you control less. Defence: vendor vetting, contractual audit rights, scoped access via your IAM, and your logging — not just theirs.
## The 12-Point Insider-Threat Checklist
1
Scope access to the ticket, not the database
An agent helping customer X should see customer X's record — not be able to browse all customers. Bind data access to an open ticket where possible.
2
Mask sensitive fields by default
Show last-4 of a bank or ID number, not the whole thing. Full reveal requires a logged, reason-coded "unmask" action that a supervisor can review.
3
Log every record view, not just every edit
Most systems log changes. Insider theft is reading, not writing. Log who viewed which customer, when, from where — and keep it tamper-evident.
4
Alert on bulk access
An agent who views 300 customer records in an hour is either doing a migration or stealing. Alert above a per-role threshold and require a reason.
5
Block bulk export
Remove "export all" from agent roles. Exports go through a request that a manager approves and the system logs. No silent CSV of your customer base.
6
Enforce phishing-resistant MFA
On support tools, prefer hardware keys or passkeys over SMS OTP. The Coinbase agents were bribed, but MFA still blunts the phished and compromised cases.
7
Bind sessions to device and IP
A support console logging in from a new country at 3 am should re-challenge or block. Geo and device anomalies are cheap signals.
8
Separate read, write, and admin roles
A frontline agent rarely needs to change account ownership or reset security settings. Split roles so the high-risk actions sit with a small, audited group.
9
Vet contractors like employees
If a BPO agent touches customer data, your vetting standard applies — background checks, named individuals, no shared logins. Demand audit rights in the contract.
10
Run access through your IAM, not theirs
Vendor agents should authenticate through your identity provider so you can revoke instantly, see the logs, and enforce your MFA — not rely on the vendor's.
11
De-provision the same day someone leaves
Offboarding lag is a classic gap. Tie access to HR status; the moment a contract ends, access ends. Audit dormant accounts monthly.
12
Have a refuse-the-ransom plan before you need one
Coinbase refused publicly and offered a bounty instead. Decide your stance, your disclosure path, and your DPDP breach-notification steps now — not during the incident.
The uncomfortable part: most of these controls catch the bribed insider only after they've taken some data. The point of least-privilege and masking is to make "some" as small as possible. An agent who can see one masked record per ticket can sell almost nothing. An agent who can browse and export the whole customer table can sell everything. Same bribe, very different blast radius.
## A Quick Self-Assessment
| Control | High risk if… | Lower risk if… |
|---|---|---|
| Access scope | Agents can browse all customers | Access bound to assigned tickets |
| Field exposure | Full PII visible by default | Masked; reveal is logged + reason-coded |
| View logging | Only edits are logged | Every view logged, tamper-evident |
| Bulk access | No threshold alerts | Alerts + reason required above N views |
| Export | Agents can export freely | Export gated by approval |
| Vendor auth | BPO uses its own logins | Agents auth via your IAM |
## Why India Carries Outsized Exposure Here
India runs a large share of the world's customer-support and BPO operations, which means a lot of the access that matters sits with agents working for a vendor, not the brand whose customers they serve. That structure multiplies the risk in two ways. First, the brand often can't see the vendor's logs or enforce its own MFA, so a bribed or phished agent leaves fewer fingerprints. Second, accountability gets fuzzy — when a breach happens, "the BPO handles security" is not a defence under DPDP, which puts the obligation on the data fiduciary. If you're an Indian firm serving overseas clients, or an overseas brand routing support through an Indian vendor, the contractual and technical controls in this checklist aren't optional nice-to-haves. They're the difference between an incident you can scope in hours and one you discover months later, the way Coinbase did.
## Common Mistakes (When Insider Defence Fails)
Symptom: "We have logs but never look at them." Cause: logging without alerting. Fix: turn the bulk-access pattern into a real-time alert, not a quarterly report nobody reads.
Symptom: "The BPO 'handles security'." Cause: outsourced accountability. Fix: you own the data and the breach notification; route their access through your IAM and your logging.
Symptom: "Everyone's an admin because it's easier." Cause: role sprawl. Fix: separate read/write/admin; most agents only need scoped read.
Symptom: "Offboarded staff still had access weeks later." Cause: manual de-provisioning. Fix: tie access to HR status; revoke same-day, audit dormant accounts monthly.
## When This Checklist Is Overkill
If you're a 5-person team where one trusted founder handles all support and there are no contractors, the full 12 points are heavier than your risk. Start with three: mask PII by default, log every view, and use MFA. As you add support staff — and especially the day you add a contractor or BPO — the rest become non-optional. Scale the controls to the number of hands on customer data, not to your headcount overall.
## How We Approach This for Clients
As
Khushi, when our team scopes access for a client's support stack, we start from the data, not the org chart: list every sensitive field, decide who genuinely needs to see it unmasked, and build the console so the default view is safe. We applied exactly this masking-and-logging discipline to the support tooling behind
TalkDrill, our in-house English-speaking app, where agents help users without ever seeing a full unmasked profile by default. We ran this same exercise after the
Discord vendor-support breach, and it overlaps heavily with the work in our
12-task cyber-hygiene sprint. For the third-party angle specifically — vendor questionnaires and audit rights — see our piece on
the vendor questions every Indian SaaS buyer should ask. Founder
Vivek Singh writes more on the security beat from a first-person angle. Our
automation team can also wire the bulk-access alerts into your existing logging so the signal reaches a human in minutes, not months.
Run-this-week insider-threat checklist
- Scope agent access to assigned tickets, not the whole database
- Mask sensitive fields; reveal is logged and reason-coded
- Log every record view, tamper-evident
- Alert on bulk access above a per-role threshold
- Gate bulk export behind manager approval
- Enforce phishing-resistant MFA on support tools
- Route vendor/BPO access through your own IAM
- De-provision same-day on exit; audit dormant accounts monthly
## Our Take
The Coinbase breach is being read as a crypto story. It isn't. It's a support-access story that happens to involve a crypto exchange. The bribe was small relative to the data's value; the data was accessible because support agents could see full customer records. Any Indian firm running a support desk — fintech, e-commerce, healthtech, a BPO serving overseas clients — has the same exposure. The defence is unglamorous: least privilege, masking, view logging, anomaly alerts. None of it trends on tech Twitter. All of it would have shrunk this breach.
We pressure-tested this against community discussion too — the [r/cybersecurity thread on the Coinbase disclosure](https://www.reddit.com/r/cybersecurity/) kept returning to the same root cause: support tooling that exposes far more than any single ticket needs.
## FAQ
### What caused the Coinbase insider breach?
Attackers bribed overseas customer-support contractors to access internal support tools and exfiltrate data on roughly 70,000 customers. No software vulnerability was exploited — the access was legitimate and misused. Coinbase noticed anomalous rep activity as early as January 2025 and disclosed in May.
### How is an insider threat different from a hack?
A hack exploits a technical flaw to gain access an attacker shouldn't have. An insider threat misuses access someone legitimately holds — an employee, contractor, or vendor. Because the access is authorized, firewalls and patching don't stop it; access scoping and monitoring do.
### What's the single most effective insider-threat control?
Least-privilege access scoped to the task. If an agent can only see the one customer tied to their open ticket, a bribe or a phished login yields almost nothing. Broad browse-and-export access turns one compromised agent into a full-database leak.
### Do these controls apply to small Indian support teams?
Start with three even at small scale: mask PII by default, log every record view, and enforce MFA. The full 12-point list becomes important the moment you add support staff or any contractor or BPO touching customer data.
### How should we handle a BPO's access to customer data?
Route their agents through your own identity provider so you can revoke instantly and own the logs, vet contractors to your employee standard, demand audit rights in the contract, and apply the same masking and view-logging you'd use internally. Don't rely on the vendor's controls alone.
### What does DPDP require if an insider leaks data?
India's DPDP framework requires notifying affected individuals and the Data Protection Board of a personal-data breach. Decide your notification path, timelines, and internal owner before an incident, so disclosure isn't being improvised under pressure.
### Should we ever pay a data-ransom demand?
Most security guidance, and Coinbase's own choice, is not to pay — payment funds future attacks and doesn't guarantee deletion. Decide your stance in advance, line up legal and forensic support, and prepare a public-disclosure and breach-notification plan instead.
Want an Insider-Threat Review of Your Support Stack?
We audit support-tool access, field masking, and logging for Indian fintech, e-commerce, and BPO teams — then wire up the alerts that catch bulk access in minutes. Typical engagement: a 1-week review with a prioritized fix list. First call is free.
Book a 20-min Call