Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker.
While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted some of the stolen information on the code-sharing site.
Lawsuit claims GitHub failed to detect stolen data
The lawsuit claims that “decisions by GitHub’s management […] allowed the hacked data to be posted, displayed, used, and/or otherwise available.”
According to court documents, the stolen Capital One user info was available from April 21, 2019, to mid-July before it was taken down.
“GitHub knew or should have known that obviously hacked data had been posted to GitHub.com,” the lawsuit claims.
The lawsuit said GitHub had an obligation under California law and industry standards to keep off or remove the Social Security numbers and personal information from its site.
The plaintiffs believe that because Social Security numbers had a fixed format, GitHub should have been able to identify and remove this data, but they chose not to and allowed the stolen information to be available on its platform for three months until a bug hunter spotted the stolen data and notified Capital One.
The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It is worth mentioning that GitHub was never prosecuted for violating wiretapping laws, but this is only an accusation made in a civil case, that is currently unproven.
Lawsuit claims GitHub actively encouraged hacking
The lawsuit also makes a bold claim that “GitHub actively encourages (at least) friendly hacking.” It then links to a GitHub repository named “Awesome Hacking.”
Plaintiffs might have a hard time proving that GitHub promoted hacking as this repository is not associated with GitHub staff or management, but owned by a user who registered on the platform and claims to live in India.
There are thousands of similar GitHub repositories hosting hacking, pen-testing, cyber-security, and reverse engineering resources and tutorials — all of which are not illegal.
Furthermore, other sites like Pastebin or AnonFile are also abused in a similar way that GitHub was during the Capital One breach, with hackers uploading stolen information on their respective servers, or hosting hacking tutorials.
The lawsuit seems to gloss over the fact that users are responsible for abiding by a platform’s rules and terms of service, and not the platform itself.
All in all, the chances of GitHub being found guilty are slim, as this just just another classic case of “guns don’t kill people; people kill people.”
Otherwise, Apple might be similarly held accountable when someone uses an iPhone to commit a crime, or Microsoft found guilty when someone uses a Windows operating system to watch pirated movies.
But while Microsoft might have a case to convince the court to drop GitHub out of the lawsuit, Capital One does not, and will have to defend its cyber-security lapses in court.
The lawsuit pointed out that Capital One had suffered previous security breaches before in November 2014, July 2017, and September 2017.
The class-action lawsuit complaint is available here. Newsweek and Business Insider first reported the lawsuit.
The hacker responsible for the Capital One breach, Paige Thompson, was arrested earlier this week. She is believed to have hacked multiple other companies, besides Capital One. The list includes Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation.
Related cybersecurity coverage: