STE WILLIAMS

Code repository GitHub and credit card flinger Capital One are facing down a potential class action suit in the US accusing them of negligence over the loss of 106 million individuals’ personal data.

Capital One is accused of failing to take appropriate action to secure its systems, while Microsoftie GitHub – or so the lawsuit claims – is alleged to have been negligent in leaving information relating to the exploit that allowed access to Capital One’s customer data available on its site.

The case is being brought by two customers, Aimee Aballo and Seth Zielicke, and lawyers Tycko Zafareei, on behalf of anyone else affected by the breach.

The complaint (PDF) accuses GitHub of “failure to monitor, remove or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed and used on and by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months.”

The document accuses Capital One of enthusiastically embracing the cloud while failing to pay proper attention to security concerns, saying that the bank should have been aware of the breach of its AWS-hosted database as early as 12 March.

Capital One, for its part, said it was unaware of any breach until about 19 July and that it took immediate action to secure its systems. The financial giant said that the FBI has arrested the person responsible. The filings allege this person is an ex-AWS employee and that the Capital One was alerted to the breach by a GitHub user emailing the bank’s tip-off address.

The lawyers claim GitHub could have relatively easily spotted data like social security numbers because of their standard formatting and suggested GitHub employ content moderators like Facebook and YouTube.

But a GitHub spokesperson told us: “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.

The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”

The US government has also weighed in. The House of Representatives Committee on Oversight and Reform has written to Capital One (PDF) requesting a full briefing on the loss and the bank’s response before 15 August.

We’ve emailed Capital One and will update this story if we get a response. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/05/github_and_capital_one_hit_by_class_action_suit/