GitHub accused of aiding Capital One data breach; lawsuit filed
We had recently reported how Capital One, one of the largest banks and one of the largest credit card issuers in the U.S., was involved in a massive data breach where more than 100 million of the company’s customer accounts and credit card applications were exploited.
Paige Thompson, a Seattle-based software engineer behind the hack, had allegedly posted details about the Capital One data hack on the code-sharing site, GitHub.
For those unaware, the Capital One data hack had exposed the personal information of 106 million people, including 140,000 Social Security numbers, 80,000 bank account numbers, in addition to details of tens of millions of credit card applications after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach also compromised one million Canadian social insurance numbers.
Now, the law firm Tycko & Zavareei LLP have filed a class-action lawsuit against Capital One and GitHub on behalf of those affected by the breach, alleging that both companies were negligent in safeguarding customers data and privacy.
The 28-page lawsuit filed on Thursday in the U.S. District Court for the Northern District of California claimed that GitHub “actively encourages (least) friendly hacking.”
“GitHub had a duty under California law to keep (or remove) the site’s social security number and other personal information,” the law firm said in its complaint against GitHub and Capital One.
It also says that GitHub violated the federal Wiretap Act, “which permits civil recovery for those whose ‘wire, oral, or electronic communication’ has been ‘intercepted, disclosed, or intentionally used’ in violation of, inter alia, the Wiretap Act.”
“As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on or by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months,” the law firm said in its complaint against GitHub and Capital One.
The lawsuit further alleges that details about Capital One hack were available from April 21, 2019, to mid-July before they were taken down.
The computer logs “demonstrate that Capital One knew or should have known” about the data breach when it took place in March. However, the company failed to take any action against the breach until last month resulting in violation of state law to remove the information.
Responding to the lawsuit, a spokesperson for GitHub in a statement to The Hill said that “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.”
The spokesperson added that “the file posted to GitHub did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving the request.”
Thompson was arrested earlier this week and has been charged with one count of data fraud and abuse. She could face up to 5 years in prison and a $250,000 fine.