GitHub ‘encourages’ hacking, says lawsuit following Capital One breach

Naked Security

GitHub has been named in a class action lawsuit because the hacker who allegedly stole data from more than 100 million Capital One users posted details about the theft onto the platform.

GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.

The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.

The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”

The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.

Full article