GitHub sued for aiding hacking in Capital One breach
Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker. While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site. The lawsuit claims that ‘decisions by GitHub’s management […] allowed the hacked data to be posted, displayed, used, and/or otherwise available.’
According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down. The lawsuit said GitHub had an obligation under California law and industry standards to keep off or remove the Social Security numbers and personal information from its site. The plaintiffs believe that because Social Security numbers had a fixed format, GitHub should have been able to identify and remove this data, but they chose not to and allowed the stolen information to be available on its platform for three months until a bug hunter spotted the stolen data and notified Capital One.