GitHub faces lawsuit for role in Capital One leak

Class action complaint accuses the platform of failing to detect and remove hacked data for three months

Development platform GitHub is being sued for allegedly failing to prevent 100 million people's personal information from being disseminated online following the Capital One data breach.

The class action complaint, filed in California, has accused theMicrosoftsubsidiary of negligence after a dump of hacked personal data, including bank account numbers and social security numbers, was hosted on its platform for three months. It's alleged that GitHub didn't remove this "obviously hacked" data in a timely way, nor alert victims their information was posted online.

Advertisement - Article continues below

The Capital One hack, in which the details for approximately 106 million customers were stolen, was disclosed in late July, although the incident itself took place in April. The stolen information, approximately 50GB worth of data, was posted onto GitHub on 21 April, according to the filings, and remained on the platform until mid-July.

GitHub's alleged failings also extend to the enforcement of its own terms-of-service, as it did not revoke the hacker's access to the site, let alone suspend their user account, the claim states.

"GitHub knew or should have known that obviously hacked data had been posted," the lawsuit claims. "Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia,'s "Awesome Hacking" page.

Advertisement - Article continues below

"GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

The claimants' arguments also centre on comparisons with the way similar tech platforms, like Facebook and YouTube, approach content moderation. These sites often dedicate resources and staff to monitoring and removing offensive and illegal content, or content which breaches their term-of-service.

Advertisement - Article continues below

Because social security numbers are readily identifiable, generally following a nine-digit sequence, GitHub should have, but chose not to, dedicate time and resource into scanning its platform for such information, it has been argued.

Following the beach disclosure, further research by Israeli firm CyberInt revealed a host of other large organisations could have been struck by the same hacker. These businesses include Vodafone and Ford.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a spokesperson toldIT Pro.

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

Linux kernel to strip out racially insensitive terms

13 Jul 2020