GitHub faces lawsuit for role in Capital One leak

Class action complaint accuses the platform of failing to detect and remove hacked data for three months

Development platform GitHub is being sued for allegedly failing to prevent 100 million people's personal information from being disseminated online following the Capital One data breach.

The class action complaint, filed in California, has accused theMicrosoftsubsidiary of negligence after a dump of hacked personal data, including bank account numbers and social security numbers, was hosted on its platform for three months. It's alleged that GitHub didn't remove this "obviously hacked" data in a timely way, nor alert victims their information was posted online.

The Capital One hack, in which the details for approximately 106 million customers were stolen, was disclosed in late July, although the incident itself took place in April. The stolen information, approximately 50GB worth of data, was posted onto GitHub on 21 April, according to the filings, and remained on the platform until mid-July.

GitHub's alleged failings also extend to the enforcement of its own terms-of-service, as it did not revoke the hacker's access to the site, let alone suspend their user account, the claim states.

Advertisement - Article continues below
Advertisement - Article continues below

"GitHub knew or should have known that obviously hacked data had been posted," the lawsuit claims. "Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia,'s "Awesome Hacking" page.

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

The claimants' arguments also centre on comparisons with the way similar tech platforms, like Facebook and YouTube, approach content moderation. These sites often dedicate resources and staff to monitoring and removing offensive and illegal content, or content which breaches their term-of-service.

Because social security numbers are readily identifiable, generally following a nine-digit sequence, GitHub should have, but chose not to, dedicate time and resource into scanning its platform for such information, it has been argued.

Following the beach disclosure, further research by Israeli firm CyberInt revealed a host of other large organisations could have been struck by the same hacker. These businesses include Vodafone and Ford.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a spokesperson toldIT Pro.

Advertisement - Article continues below

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


Patch issued for critical Windows bug

11 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Buy IT to grow, not slow, your business

25 Nov 2019
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019