GitHub faces lawsuit for role in Capital One leak

Class action complaint accuses the platform of failing to detect and remove hacked data for three months

Development platform GitHub is being sued for allegedly failing to prevent 100 million people's personal information from being disseminated online following the Capital One data breach.

The class action complaint, filed in California, has accused theMicrosoftsubsidiary of negligence after a dump of hacked personal data, including bank account numbers and social security numbers, was hosted on its platform for three months. It's alleged that GitHub didn't remove this "obviously hacked" data in a timely way, nor alert victims their information was posted online.

The Capital One hack, in which the details for approximately 106 million customers were stolen, was disclosed in late July, although the incident itself took place in April. The stolen information, approximately 50GB worth of data, was posted onto GitHub on 21 April, according to the filings, and remained on the platform until mid-July.

GitHub's alleged failings also extend to the enforcement of its own terms-of-service, as it did not revoke the hacker's access to the site, let alone suspend their user account, the claim states.

"GitHub knew or should have known that obviously hacked data had been posted toGitHub.com," the lawsuit claims. "Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia, GitHub.com's "Awesome Hacking" page.

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

The claimants' arguments also centre on comparisons with the way similar tech platforms, like Facebook and YouTube, approach content moderation. These sites often dedicate resources and staff to monitoring and removing offensive and illegal content, or content which breaches their term-of-service.

Because social security numbers are readily identifiable, generally following a nine-digit sequence, GitHub should have, but chose not to, dedicate time and resource into scanning its platform for such information, it has been argued.

Following the beach disclosure, further research by Israeli firm CyberInt revealed a host of other large organisations could have been struck by the same hacker. These businesses include Vodafone and Ford.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a spokesperson toldIT Pro.

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020