GitHub sued for aiding hacking in Capital One breach

Class-action lawsuit filed in California against Capital One... and GitHub???
Written by Catalin Cimpanu, Contributor

Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker.

While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site.

Lawsuit claims GitHub failed to detect stolen data

The lawsuit claims that "decisions by GitHub's management [...] allowed the hacked data to be posted, displayed, used, and/or otherwise available." According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down.

"GitHub knew or should have known that obviously hacked data had been posted to GitHub.com," the lawsuit claims.

The lawsuit said GitHub had an obligation under California law and industry standards to keep off or remove the Social Security numbers and personal information from its site. The plaintiffs believe that because Social Security numbers had a fixed format, GitHub should have been able to identify and remove this data, but they chose not to and allowed the stolen information to be available on its platform for three months until a bug hunter spotted the stolen data and notified Capital One.

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

However, spokespersons from both Capital One and GitHub have told ZDNet that the data uploaded on GitHub by the hacker did not contain any personal information.

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information," a GitHub spokesperson told us. "We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Lawsuit claims GitHub actively encouraged hacking

The lawsuit also makes a bold claim that "GitHub actively encourages (at least) friendly hacking." It then links to a GitHub repository named "Awesome Hacking."

Plaintiffs might have a hard time proving that GitHub promoted hacking as this repository is not associated with GitHub staff or management, but owned by a user who registered on the platform and claims to live in India.

There are thousands of similar GitHub repositories hosting hacking, pen-testing, cyber-security, and reverse engineering resources and tutorials -- all of which are not illegal.

Furthermore, other sites like Pastebin or AnonFile are also abused in a similar way that GitHub was during the Capital One breach, with hackers uploading stolen information on their respective servers, or hosting hacking tutorials.

The lawsuit seems to gloss over the fact that users are responsible for abiding by a platform's rules and terms of service, and not the platform itself.

All in all, the chances of GitHub being found guilty are slim, as this just just another classic case of "guns don't kill people; people kill people." Otherwise, Apple might be similarly held accountable when someone uses an iPhone to commit a crime.

But while Microsoft might have a case to convince the court to drop GitHub out of the lawsuit, Capital One does not, and will have to defend its cyber-security lapses in court.

The lawsuit pointed out that Capital One had suffered previous security breaches before in November 2014, July 2017, and September 2017.

The class-action lawsuit complaint is available here. Newsweek and Business Insider first reported the lawsuit.

The hacker responsible for the Capital One breach, Paige Thompson, was arrested earlier this week. She is believed to have hacked multiple other companies, besides Capital One. The list includes Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation.

Updated on August 3, 6:10pm ET with statement from GitHub.

2019's tech, security, and authentication trends

Related cybersecurity coverage:

Editorial standards