Github sued for encouraging hacking in Capital One data breach lawsuit

GitHub does nothing to stop hacked data and exploits from being uploaded, claims lawsuit

A lawsuit has been filed in a California court against GitHub and Capital One over data breach that led to theft of more than 100 million customers' information.

Law firm Tycko & Zavareei LLP filed the 28-page lawsuit in a federal district court [PDF] on Thursday on behalf of plaintiffs Seth Zielicke and Aimee Aballo.

In the suit, the plaintiffs accused Capital One and GitHub of failing to protect customers' personal information and said that both companies need to be held responsible for their role in the data breach.

The lawsuit also accused the source-code hosting website of being involved in actively encouraging "(at least) friendly hacking".

The Capital One hacking incident, which occurred in March/April this year, led to the theft of personal information of about nearly 106 million customers.

The company disclosed the data breach late last month, admitting that a hacker illegally accessed its systems and was able to steal the personal information of a large number of customers.

The hacker supposedly exploited a firewall misconfiguration in an Amazon cloud storage service used by Capital One. She also posted the stolen data on GitHub in April.

As per the lawsuit, the Capital One hack details were available on GitHub from 21 April 2019 to mid-July before they were removed from the site. Capital One only became aware of it on 17th July.

"GitHub knew or should have known that obviously hacked data had been posted to GitHub.com," the lawsuit said.

It claimed that GitHub had violated the federal Wiretap Act by allowing the hacker(s) to upload and store stolen details of people, including their Social Security numbers (SSNs), on its servers.

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information," the suit said.

The plaintiffs also provided a link to a GitHub repository named "Awesome Hacking" in support of their claim that GitHub is involved in "friendly hacking".

A GitHub spokesperson told Business Insider that the information posted on GitHub didn't contain any bank account details, SSNs, or any other reportedly stolen personal information.

The company said that the information related to Capital one data hack was removed promptly after a request from Capital One to remove such content was received.

GitHub spokesperson also stated that it is company's policy to quickly remove any content that is found to be violating the terms and services of the website.

Last week, the New York Attorney General Letitia James announced an investigation into the security breach. The compromised system was hosted on Amazon Web Services (AWS). Politicians in the US also recently quizzed Amazon about its security practices, asking the company to explain the Capital One security breach.