Class-Action Suit Alleges Bitcoin Depot's Negligence in 2024 Data Breach
Bitcoin Depot failed to adequately protect the personally identifiable information (PII) of more than 26,000 individuals, which was then exposed in a data breach, a class-action complaint alleged Friday in the U.S. District Court for Northern Georgia. Lead plaintiff Quincey Hall's lawsuit alleges negligence, invasion of privacy, breach of implied contract and violations of the Georgia Uniform Deceptive Trade Practices Act, among other claims.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The complaint said that "on June 23, 2024, Bitcoin Depot detected suspicious activity on its network and commenced an internal investigation which was completed by July 18, 2024," confirming unauthorized activity in its system.
However, the company didn't inform "victims of the Data Breach" or that their PII was stolen "until a year later, presumably because there was an ongoing parallel investigation by federal agencies," the complaint said.
Indeed, a sample notification letter from the company attached to California's July 7 report of the breach, said, "Unfortunately, we were not able to inform you sooner due to an ongoing investigation," as "federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation," the letter said. "Law enforcement advised Bitcoin Depot on June 13, 2025, that their investigation was complete."
Name, phone number, driver’s license number, address, date of birth, and email address were among the information leaked.
The class action alleges that the company failed to "implement adequate and reasonable measures to protect" the plaintiffs' PII; "timely detect" the data breach; "take adequate steps to prevent and stop the" breach; disclose that it didn't have adequate security practices; and "provide timely and adequate notice," said the suit.
Bitcoin Depot also noted that it has "taken steps to prevent a reoccurrence by enhancing security measures and security monitoring and increasing company awareness of data security protection," and is providing one free year of credit monitoring to those affected.
In addition to California, the Texas OAG office reported the breach on July 8, and said that 1,683 Texans were impacted. Washington state's AG also reported the breach July 7, and noted that 3,486 state residents were affected.
A Bitcoin spokesperson told Privacy Daily in an email that after detecting unusual activity on its network in June 2024, it "immediately launched an investigation with a leading cybersecurity firm" and secured its systems, allowing services to remain uninterrupted. The spokesperson said Bitcoin "remain[s] committed to protecting customer data and privacy." and said there was "no evidence of customer information being misused."
"We later confirmed that an unauthorized party accessed files containing personal information of certain customers," and "at the direction of federal law enforcement" was "asked to delay notification due to an active investigation into the third party responsible for the breach," they added. The notification process is now underway.