Assuming they will have to inform the individuals who's data was actually breached/taken? Or is this basically the entire customer base? In which case that is VERY bad.
Their blog post says they notified affected users yesterday:
https://www.coinbase.com/blog/protecting-our-customers-stand...
From the sounds of it, this is limited to US customers? Just going by the mention of social security number which does not exist in other countries like the UK.