GitHub ‘encourages’ hacking, says lawsuit following Capital One breach
GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.
The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.
The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”
The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.
The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.
However, Capital One and GitHub spokespeople told news outlets that the data uploaded to GitHub by the hacker didn’t contain any personal information. ZDNet quoted the GitHub spokesperson:
The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.
Ex-Amazon systems engineer arrested
Last week, FBI agents arrested 33-year-old Paige A. Thompson, of Seattle – also known by her username “erratic” on social media platforms – for allegedly posting information on GitHub about stealing data from Capital One servers via a misconfigured firewall.
Last Monday, 29 July 2019, FBI agents executed a search warrant at Thompson’s home and seized electronic storage devices allegedly containing a copy of the leaked data.
The devices held nearly 30GB of Capital One credit application data from an unspecified rented cloud data server. Capital One said the breach affected about 100 million people in the US, 6 million in Canada, and any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019). The data included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income. Affected data for some customers also included credit scores, credit limits, balances, payment history, contact information, SSNs, and bank account numbers linked to credit cards.
The complaint didn’t identify the cloud-hosting provider from which the Capital One credit data was taken, but it does say that Thompson’s resume indicates that she worked as a systems engineer at the unnamed provider between 2015 and 2016.