Another proposed class action lawsuit filed in the wake of theCapital One data breachalleges GitHub, the website on which the hacked personal information of roughly 100 million of the bank’s customerslived for nearly three monthsbefore being discovered, “encourages” or is at least friendly to hacking. The 27-page complaint out of California claims GitHub shares some of the blame for the cyber incident in that it failed to “monitor, remove or otherwise recognize and act upon” the Capital One customer data on its website.
According to the lawsuit, a former Amazon Web Services employee gained access to Capital One’s databases and stole customer data sometime in March 2019. In April, the hacker, who now facescriminal charges, allegedly posted the stolen data on GitHub.com, a widely used, Microsoft-owned collaboration platform for web developers. According to the case, Capital One did not begin to look into the cyber incident until around July 17, when it received an email from a GitHub user alerting it to the leaked customer data.
For its part, GitHub, the lawsuit says, “neveralerted any victims” that their data was exposed and posted on its website. The platform also took no steps to remove the stolen data, the case adds.
“Instead, the hacked data was available on GitHub.com forthree months,” the complaint states.
Further, the lawsuit charges, GitHub did not even suspend the account of the hacker believed to be responsible for the data breach “even though it knew or should have known that the hacker had breached” the platform’s Terms of Service.
Among the information allegedly accessed during the breach were names, addresses, zip codes, birth dates, self-reported incomes, and other details provided to Capital One through credit card applications. Other customer data accessed includes credit scores, balances, payment histories, roughly 140,000 Social Security numbers and approximately 80,000 bank account numbers, the complaint says.