GitHub 'Actively Encourages' Hacking, Suit Filed Against Company After Capital One Hack Says

Lawfirm Tycko & Zavareei LLP has filed a class-action lawsuit against source-code hosting site GitHub for its link to a massive Capital One hack, alleging the company is guilty of negligence, negligence per se, violation of the federal Wiretap Act and violation of the California civil code. The suit also levies charges against Capital One.

Capital One announced earlier this week that it had suffered a hack that exposed the personal information of 106 million people, including the social security numbers of 140,000 customers and the bank account numbers of 80,000 customers. The information, allegedly hacked by a former Amazon Web Services employee, was then posted on GitHub.

A federal complaint charging Paige Thompson, the alleged hacker, says that the exfiltration on Capital One information took place between March and April, when it was posted on GitHub. Capital One was notified on July 17 that its information had been published on GitHub.

The 28-page lawsuit filed Thursday in the U.S. District Court for the Northern District of California asserted that GitHub "actively encourages (at least) friendly hacking."

It notes that the hacked Capital One information was posted online for months and alleges that the company violated state law to remove the information. "GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information," the suit says.

It also says that GitHubviolated the federal Wiretap Act, "which permits civil recovery for those whose 'wire, oral, or electronic communication' has been 'intercepted, disclosed, or intentionally used' in violation of, inter alia, the Wiretap Act."

Sabita Soneji, a lawyer for the plaintiffs, told Newsweek that GitHub has an obligation to filter posts and offer some monitoring for information posted on its platform.

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service," a GitHub spokesperson told Newsweek. "The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

Capital One did not immediately respond when contacted by Newsweek.

The hack, which came on the heels of Equifax's minimum $575 million settlement for a 2017 breach that exposed the information of 147 million people, has reinvigorated conversations about data security.

Capital One
A Capital One bank stands in Midtown Manhattan on July 30 in New York City. Drew Angerer/Getty Images

A YouGov poll taken after the Capital One hack found that 34 prevent of Americans thought that their data and personal information was very vulnerable to hackers. Forty-seven percent said their data and personal information was somewhat vulnerable.

The suspect in the Capital One hack has been arrested and charged with one count of computer fraud and abuse. She faces as many as five years in jail and a $250,000 fine.

Update: This article has been updated to include comment from GitHub.