[BreachExchange] GitHub sued for aiding hacking in Capital One breach

Destry Winant destry at riskbasedsecurity.com
Mon Aug 5 02:17:32 EDT 2019


Capital One and GitHub have been sued this week as part of a
class-action lawsuit filed in California on allegations of failing to
secure or prevent a security breach during which the personal details
of more than 106 million users were stolen by a hacker.

While Capital One is named in the lawsuit because it was its data that
the hacker stole, GitHub was also included because the hacker posted
details about the hack on the code-sharing site.


The lawsuit claims that "decisions by GitHub's management [...]
allowed the hacked data to be posted, displayed, used, and/or
otherwise available." According to the lawsuit, details about the
Capital One hack were available from April 21, 2019, to mid-July
before they were taken down.

"GitHub knew or should have known that obviously hacked data had been
posted to GitHub.com," the lawsuit claims.

The lawsuit said GitHub had an obligation under California law and
industry standards to keep off or remove the Social Security numbers
and personal information from its site. The plaintiffs believe that
because Social Security numbers had a fixed format, GitHub should have
been able to identify and remove this data, but they chose not to and
allowed the stolen information to be available on its platform for
three months until a bug hunter spotted the stolen data and notified
Capital One.

The lawsuit alleges that by allowing the hacker to store information
on its servers, GitHub violated the federal Wiretap Act.

However, spokespersons from both Capital One and GitHub have told
ZDNet that the data uploaded on GitHub by the hacker did not contain
any personal information.

"The file posted on GitHub in this incident did not contain any Social
Security numbers, bank account information, or any other reportedly
stolen personal information," a GitHub spokesperson told us. "We
received a request from Capital One to remove content containing
information about the methods used to steal the data, which we took
down promptly after receiving their request."


The lawsuit also makes a bold claim that "GitHub actively encourages
(at least) friendly hacking." It then links to a GitHub repository
named "Awesome Hacking."

Plaintiffs might have a hard time proving that GitHub promoted hacking
as this repository is not associated with GitHub staff or management,
but owned by a user who registered on the platform and claims to live
in India.

There are thousands of similar GitHub repositories hosting hacking,
pen-testing, cyber-security, and reverse engineering resources and
tutorials -- all of which are not illegal.

Furthermore, other sites like Pastebin or AnonFile are also abused in
a similar way that GitHub was during the Capital One breach, with
hackers uploading stolen information on their respective servers, or
hosting hacking tutorials.

The lawsuit seems to gloss over the fact that users are responsible
for abiding by a platform's rules and terms of service, and not the
platform itself.

All in all, the chances of GitHub being found guilty are slim, as this
just just another classic case of "guns don't kill people; people kill
people." Otherwise, Apple might be similarly held accountable when
someone uses an iPhone to commit a crime.

But while Microsoft might have a case to convince the court to drop
GitHub out of the lawsuit, Capital One does not, and will have to
defend its cyber-security lapses in court.

The lawsuit pointed out that Capital One had suffered previous
security breaches before in November 2014, July 2017, and September

The class-action lawsuit complaint is available here. Newsweek and
Business Insider first reported the lawsuit.

The hacker responsible for the Capital One breach, Paige Thompson, was
arrested earlier this week. She is believed to have hacked multiple
other companies, besides Capital One. The list includes Unicredit,
Vodafone, Ford, Michigan State University, and the Ohio Department of

More information about the BreachExchange mailing list