Published on August 5th, 2019 📆 | 4794 Views ⚑0
GitHub faces class-action lawsuit for ‘encouraging’ hacking in Capital One breach
A lawsuit has been filed against GitHub over its role in the Capital One breach
DEVELOPER PORTAL GitHub has been slapped with a lawsuit for its role in the Capital One data breach
A lawsuit has been filed in a California court against GitHub and Capital One over data breach that led to the theft of more than 100 million customers’ information.
Law firm Tycko & Zavareei LLP filed the 28-page lawsuit in California’s federal district court [PDF] on Thursday on behalf of plaintiffs Seth Zielicke and Aimee Aballo.
The plaintiffs claim Capital One and GitHub of failing to protect customers’ personal information and said that both companies need to be held responsible for their role in the data breach. They also accuse the source-code hosting website of being involved in actively encouraging “(at least) friendly hacking”.
The Capital One breach, which occurred in March/April this year, led to the theft of personal information of about nearly 106 million customers.
The company disclosed the data breach late last month, admitting that a hacker illegally accessed its systems and was able to steal the personal information of a large number of customers.
The hacker supposedly exploited a firewall misconfiguration in an Amazon Cloud storage service used by Capital One and went on to post the stolen data on GitHub in April.
As per the lawsuit, the Capital One hack details were available on GitHub from 21 April 2019 to mid-July before they were removed from the site. Capital One only became aware of it on 17th July.
“GitHub knew or should have known that obviously hacked data had been posted to GitHub.com,” the lawsuit said.
It claimed that GitHub had violated the federal Wiretap Act by allowing the hacker(s) to upload and store stolen details of people, including their Social Security numbers (SSNs), on its servers.
“GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information,” the suit said.
The plaintiffs also provided a link to a GitHub repository named “Awesome Hacking” in support of their claim that GitHub is involved in “friendly hacking”.
A GitHub spokesperson told Business Insider that the information posted on GitHub didn’t contain any bank account details, SSNs, or any other reportedly stolen personal information.
The company said that the information related to Capital one data hack was removed promptly after a request from Capital One to remove such content was received.
The GitHub spokesperson also stated that it is the company’s policy to quickly remove any content that is found to be violating the terms and services of the website. µ