author photo
By Bruce Sussman
Mon | Aug 5, 2019 | 7:36 AM PDT

Lots of sites and repositories post information about vulnerabilities, often with a proof of concept (POC) of how an attack can work.

YouTube recently banned this type of content for a short time and then reversed course.

But a new class action lawsuit filed against Capital One over its 2019 data breach goes beyond this concept, as it names and blames GitHub as a key player in the case.

The Capital One hacker allegedly posted personally identifiable information (PII) about Capital One customers to her GitHub account, and the lawsuit alleges GitHub did nothing about it for months, even though it should have.

Let's take a look at what the lawsuit says about GitHub as it relates to the Capital One hacking case.

5 specific claims against GitHub related to hacked data

Here are five pullouts from the newly-filed lawsuit.

1. "GitHub knew or should have known that obviously hacked data had been posted to GitHub.com. Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia, GitHub.com’s 'Awesome Hacking' page."

2. "GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

3. "Moreover, Social Security numbers are readily identifiable: they are nine digits in the XXX-XX-XXXX sequence. Individuals' contact information such as addresses are similarly readily identifiable. Thus, it is substantially easier to identify—and remove—such sensitive data. GitHub
nonetheless chose not to."

4. "As a result of GitHub's failure to monitor its own site—and therefore to keep Social Security numbers and other obviously-hacked Personal Information off its widely-accessed and publicly-available site—the hacked data remained on GitHub.com for over three months. As an entity that not only allows for such sensitive information to be instantly, publicly displayed, but one that also arguably encourages it, GitHub is morally culpable, given the prominence of security breaches today, particularly in the financial industry."

5. "GitHub, meanwhile, never alerted any victims that their highly sensitive Personal Information—including Social Security numbers—was displayed on its site, GitHub.com."

GitHub responds to hacking data lawsuit

A GitHub spokesperson tells SecureWorld the lawsuit contains inaccuracies:

"GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service.

The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

After reading these allegations and GitHub's response, what do you think? Should sites like GitHub be expected to do more?

Or does this turn technology companies into playing the role of cybercops as in the recent situation at Cloudflare?

Comments