GitHub faces lawsuit for role in Capital One leak

Class action complaint accuses the platform of failing to detect and remove hacked data for three months

Development platform GitHub is being sued for allegedly failing to prevent 100 million people's personal information from being disseminated online following the Capital One data breach.

The class action complaint, filed in California, has accused theMicrosoftsubsidiary of negligence after a dump of hacked personal data, including bank account numbers and social security numbers, was hosted on its platform for three months. It's alleged that GitHub didn't remove this "obviously hacked" data in a timely way, nor alert victims their information was posted online.

Advertisement - Article continues below

The Capital One hack, in which the details for approximately 106 million customers were stolen, was disclosed in late July, although the incident itself took place in April. The stolen information, approximately 50GB worth of data, was posted onto GitHub on 21 April, according to the filings, and remained on the platform until mid-July.

GitHub's alleged failings also extend to the enforcement of its own terms-of-service, as it did not revoke the hacker's access to the site, let alone suspend their user account, the claim states.

"GitHub knew or should have known that obviously hacked data had been posted toGitHub.com," the lawsuit claims. "Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia, GitHub.com's "Awesome Hacking" page.

Advertisement
Advertisement - Article continues below

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

The claimants' arguments also centre on comparisons with the way similar tech platforms, like Facebook and YouTube, approach content moderation. These sites often dedicate resources and staff to monitoring and removing offensive and illegal content, or content which breaches their term-of-service.

Advertisement - Article continues below

Because social security numbers are readily identifiable, generally following a nine-digit sequence, GitHub should have, but chose not to, dedicate time and resource into scanning its platform for such information, it has been argued.

Following the beach disclosure, further research by Israeli firm CyberInt revealed a host of other large organisations could have been struck by the same hacker. These businesses include Vodafone and Ford.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a spokesperson toldIT Pro.

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020