GitHub faces lawsuit for role in Capital One leak

Class action complaint accuses the platform of failing to detect and remove hacked data for three months

Development platform GitHub is being sued for allegedly failing to prevent 100 million people's personal information from being disseminated online following the Capital One data breach.

The class action complaint, filed in California, has accused theMicrosoftsubsidiary of negligence after a dump of hacked personal data, including bank account numbers and social security numbers, was hosted on its platform for three months. It's alleged that GitHub didn't remove this "obviously hacked" data in a timely way, nor alert victims their information was posted online.

The Capital One hack, in which the details for approximately 106 million customers were stolen, was disclosed in late July, although the incident itself took place in April. The stolen information, approximately 50GB worth of data, was posted onto GitHub on 21 April, according to the filings, and remained on the platform until mid-July.

GitHub's alleged failings also extend to the enforcement of its own terms-of-service, as it did not revoke the hacker's access to the site, let alone suspend their user account, the claim states.

Advertisement - Article continues below
Advertisement - Article continues below

"GitHub knew or should have known that obviously hacked data had been posted," the lawsuit claims. "Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia,'s "Awesome Hacking" page.

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

The claimants' arguments also centre on comparisons with the way similar tech platforms, like Facebook and YouTube, approach content moderation. These sites often dedicate resources and staff to monitoring and removing offensive and illegal content, or content which breaches their term-of-service.

Because social security numbers are readily identifiable, generally following a nine-digit sequence, GitHub should have, but chose not to, dedicate time and resource into scanning its platform for such information, it has been argued.

Following the beach disclosure, further research by Israeli firm CyberInt revealed a host of other large organisations could have been struck by the same hacker. These businesses include Vodafone and Ford.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a spokesperson toldIT Pro.

Advertisement - Article continues below

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020