Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Courts Privacy Security

Lawsuit Filed Against GitHub In Wake of Capital One Data Breach (thehill.com) 92

An anonymous reader quotes a report from The Hill: Capital One and GitHub have been hit with a class-action lawsuit over the recent data breach that resulted in the data of over 100 million Capital One customers being exposed. The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach. The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data.

Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada. The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week. Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI.
The law firm also alleged that computer logs "demonstrate that Capital One knew or should have known" about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.
This discussion has been archived. No new comments can be posted.

Lawsuit Filed Against GitHub In Wake of Capital One Data Breach

Comments Filter:
  • Hmmm (Score:5, Insightful)

    by Impy the Impiuos Imp ( 442658 ) on Saturday August 03, 2019 @08:08AM (#59033848) Journal

    Was GitHub responsible in any way for the hack? If not, then how is it illegal to publish said information even if they knew about it? Especially if they knew about it?

    • by raymorris ( 2726007 ) on Saturday August 03, 2019 @08:18AM (#59033872) Journal

      GitHub has a tool designed to detect such things. At least if the data wasn't encrypted, I'm not sure if it was in this case. GitHub distributed the data on their site for three months. Plaintiffs argue that GitHub was negligent in having the data available for so long and not shutting off access or taking other appropriate action.

      Capital One has a strong security team, and obviously someone messed up in this case. Cap One could probably do some things to make better use of their security team. I've shown things to the Capital One security folks and they've said "wow that's not cool. I'm going to talk to the appropriate people about that tomorrow."

      My *impression* is that the great people who do security for Cap One can only *suggest* that doing XYZ is a bad idea, they may lack authority. I could be wrong about that.

      • by Anonymous Coward

        Or they had more sense and tried the 'quetly quietly' approach hoping nobody would notice the breach. Quite cost effective if it works so I believe.

        Oh, people found out though. So whatever fine is levied should be doubled. Once for having the breach, then once for trying 'quietly quietly'.

        Does that bankrupt the company? Don't care. If it does it does. At least other management types would start taking notice about computer security instead of the 'The IT department is the lowest part of the company so th

        • I don't disagree with you but you are describing the polar opposite of the current situation. CxOs get the most favorable contracts known to man. They get all of the enrichment and none of the fallout. I have little faith that corporations or regulators are going to do a 180 anytime soon. Even if we hacked at the roots of the problem (wealth inequality,
          money in politics) for years it wouldn't get to what you describe, very depressing.

        • I'm withholding judgement re the executives until I have more information. The C suite did decide to spend a decent amount of money on several security teams, hiring good people. That's basically what the top executives do - decide how much money to spend on what. And this happened.

          In my view, more details are needed in order to make decisions about who made what bad decisions.

      • by Anonymous Coward on Saturday August 03, 2019 @08:39AM (#59033940)

        So the moral of the story is to not bother trying to detect things, because if you fail, some weepy cunt will take exception at you not hiring ten thousand idiots to goosestep through everyone's repositories and conversations.

        • Or perhaps you do what any business with secure lockers do... provide them and put a sign indicating you are using them at your own risk.
      • "Plaintiffs argue that GitHub was negligent in having the data available for so long and not shutting off access or taking other appropriate action."

        Plaintiffs were negligent for not protecting their data, and want others to do it for them. Having a tool which attempts to find this kind of data doesn't make GitHub responsible unless it flagged the data and they ignored it... Which is a good reason not to have such a tool at all, and only remove such information when specifically notified via physical corres

      • "You had a data breach and you didn't notice it for 3 months? It's not to us to monitor your data breaches, especially if you didn't notify anyone because you didn't notice."

        This is what happens when a business gets bought out by someone with deep pockets- it becomes lawyer-bait. How long until RedHat gets its first big lawsuit because IBM has money money money?

      • From the Slashdot story: "... firewall mis-configuration in an Amazon cloud storage service used by Capital One..."

        From the parent comment: "I've shown things to the Capital One security folks and they've said 'wow that's not cool. I'm going to talk to the appropriate people about that tomorrow.' "

        To me, the smart way to encourage social effectiveness is to require EVERYONE to understand what they are doing.

        The story gives the impression that maybe no one knew all the details of proper configuratio
      • Re: (Score:2, Informative)

        by Anonymous Coward

        Capital One has a strong security team

        "We take your security seriously"
        -- Every single company ever, right after suffering a massive security breach

        No, by definition, they did not have a "strong security team". Hell, they put their customer's data on a cloud service for the love of bacon. There's no defense for that.

        If they "had a strong security team", this would not have happened.

        We need to start seeing jail time for the execs at the helm. Only then, will "our security be taken seriously".

        • Capital One has 49,000 employees.

          Those employees worked 95 million hours last year. One of those hours, somebody messed up.

          They definitely need to look into their processes, how this good is possible.

          • by Anonymous Coward

            Non-sequitur. The vast majority of those 49,000 employees have nothing to do with fool choices like "Hey, let's put our customer's data on Amazon's computers! Cloud hey!"

            No, this was not some random choice by some bank teller. This was a fundamental dropping of the ball by Capital 1's security. Maybe that fault goes to the upper management and maybe it goes to the security team itself, or maybe it goes to both. But it is their responsibility, and they blew it bad.

            • by Cederic ( 9623 )

              I would guess, given their size and scale, that Capital One make somewhere in the region of several hundred thousand IT changes every year.

              I mean, hell, with 49000 employees that's 20000 password resets a year before you even touch the IT systems.

              One of those IT changes went wrong. One.

              The automated security checking didn't catch it. The change processes didn't catch it. The IT professionals responsible for making the change didn't catch it. The people using the system didn't catch it. Management didn't cat

              • by tlhIngan ( 30335 )

                But no, lets blame Capital One's security team.

                After all, they had infinite funding, enough manpower to explicitly check and validate every single IT change, in triplicate, and then test it afterwards, write a report and sign off that it was secure.

                Or if they even try to implement strong security, developers start to complain that they have to fill out enless requisition forms and go through months to request a new database server. Or to fix a bug requires filing change request after change request, so that

      • by guruevi ( 827432 )

        Most organizations aren't well defended against insider threats like these. They don't know someone walks out with a thumb-drive containing a copy of their entire database.

        It's a common practice in marketing for example that someone takes their customer database with them to their next job or that an engineer or programmer takes their code. Especially in Universities, even students think that the research is "their" data (even HIPAA-protected, medical data) because they did the work and wrote their disserta

      • by Anonymous Coward

        Negligence requires a duty in the first place.

        Github doesn't have a duty to capital one customers just because they have a scanner. Having a rule that did that would mean nobody would ever write scanners.

        • There are two legal duties here. GitHub has some duty (and required level of care) to their customer, Capital One. I believe they offered the scanner as a value-added option. That seems reasonable, as it does take CPU and disk resources to constantly scan all of GitHub.

          They also owe a duty of "slight care" to everyone. A common example of slight care is if you see someone drop their wallet, you should tell them. If Github knew of the breach, they should have done something about it. I haven't seen any e

      • by Cederic ( 9623 )

        My *impression* is that the great people who do security for Cap One can only *suggest* that doing XYZ is a bad idea, they may lack authority. I could be wrong about that.

        I think you're wrong about that. Any security team at a financial institution can go straight to the Chief Risk Officer and say, "We have a multi-hundred-million dollar exposure and it'll cost just $200k to remove it."

        They'll get $200k.

          • By the way, I mentioned that because I have experience with both ways large companies handle it. At one company where I worked, which had $24 billion in revenue, nothing got done on production without being signed off by security. Not only could Security prevent something from happening, they could do so with a pocket veto - by not saying anything.

            At a large insurance conglomerate where I worked, Security is advisory; they tell the IT people what best practice is. They have no authority to say approve or

            • by Cederic ( 9623 )

              My point is that in the latter scenario, a security team have absolutely all of the authority they need.

              That their authority is very soft and indirect doesn't reduce it.

              • Just curious, have you ever done this kind of work, on any scale?

                • by Cederic ( 9623 )

                  Yes. I've prevented a product targeted at 20 million financial services customers going live despite having zero authority to do so, purely by highlighting the sort of risk that led to Equifax losing 35% of their market capitalisation in a week.

                  I got thanked for my diligence.

      • Uhh, GitHub didn't have the data. It had a description of how it was obtained posted. No personal data was uploaded to GitHub.

    • Was GitHub responsible in any way for the hack?

      A cousin of mine is a lawyer. He told me that folks don't sued because they are responsible . . . but because they have money.

      For example, if I was accused of sexual harassment at my workplace, I would not get sued, because in lawyer metrics . . . I have no money. My employer would get sued, because they have enough money for lawyers to be interested in.

      Now, GitHub is owned by Microsoft . . . who can hire very good, expensive lawyers. So I don't think that this lawsuit against GitHub will go anywhere.

      • SCO still ended up with (and spent) all the money that they withheld from Novell. IBM was just a step along the road, since they weren't holding any of IBMs money.
      • by HiThere ( 15173 )

        FWIW, there was information that suggested that SCO was bankrolled by Microsoft. It sure wasn't proof...but it sure wasn't proof of the other way either. As far as I can remember (of what I read) there wasn't any information that suggested that Microsoft acted to initiate the SCO suit...merely that they saw it as a good way to attack IBM & Linux once it appeared.

        I still hate calling that group SCO, because the Santa Cruz Organization was a good company, and continued to be a good company after they so

    • It would violate the laws of logic and physics for them to publish the information if they didn't yet know about it, now, wouldn't it?
  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday August 03, 2019 @08:37AM (#59033930) Homepage Journal

    GitHub is no more responsible for the hack than your local municipality is for bank robbers escaping on public roads.

    They took down the data. They're done.

    • You're entirely missing the point. Capital One can't get hit with a class-action lawsuit, because it was their customers who were exposed. Doubtless, in this day and age, the customers are enjoined by an individual binding arbitration clause which prohibits them from joining a class-action. So the lawyers went after GitHub (the "publisher") instead, because they have no such protection, and their parent (Microsoft) has lots and lots of money. Billable hours for everyone!!!
      • I understand the scam perfectly. And really, the only drawback I see to this whole thing is that some lawyers will be paid for unnecessary lawyering. I took my stuff off GitHub already.

  • Comment removed based on user account deletion
    • Per the details you posted from the article, it sounds like Github was not notified.

      How is Github supposed to "monitor and remove" all suspect data? Especially if 3rd parties don't bother to notify them?

      Github is a common carrier, of sorts. That's it's whole point.

    • ... posted about her theft of the information on GitHub in April ...

      It doesn't say the person posted stolen data, it says they posted about the ability of any person with basic skills to access the data.

  • by Anonymous Coward

    So GitHub did something wrong and there's a lawsuit for negligence but the post doesn't say what GitHub actually did wrong. I've read it twice and I still don't know what GitHub actually did wrong. I'll click through to a link and see if that clears it up.

  • by Anonymous Coward

    others mentioned it, correctly surmising that it is related to the deep pockets of Microsoft

    I also think very likely it's also influenced by all the ire being directed at "tech giants" right now, the plaintiffs probably believe they can leverage that for public support (and they may be right)

    and MS could have a problem in that the bank will want to deflect from themselves and will be supported by other banks (and ones like Equifax) because they want to pre-source scapegoats for future incidents

  • by Gravis Zero ( 934156 ) on Saturday August 03, 2019 @10:11AM (#59034234)

    Everything about this is stupid. From the hacker who posted that bragged online to the fact that they never even noticed the breach. Honestly though, blaming github for doing what github does (distribute files) is quite the stretch.

  • And the track record of Microsoft in the security space is well known.
  • Yet another class action ^h^h^h^h^h^h^h^h^h^h^h^H money grab.

    Class action law is severely flawed by design.

    The plaintiffs get coupons, and the legal team bringing the lawsuit gets millions.

    It's all about who has the deep pockets and not about the losses the plaintiffs incurred.

    Have you seen those class action notices in the mail. They basically state that unless you respond, you'll be limited to the coupons awarded. You have to notify them by mail to be excluded from the award if you want to bring your own

    • by Anonymous Coward

      when you have the chance to form a class action you can set those rules. until then, good luck getting the country to agree to work together to make this a reality. because corporations (or owners of corporations) have a voice too and they will likely object to your low-uid-having-ass

    • by Anonymous Coward

      I'm not a lawyer, but I'm guessing it gets pretty expensive to do the work related to filing and winning / settling a class action. The lawyers awards are a financial incentive to get it done. My guess is that 5% may not be enough, so we'd simply have fewer class actions, if any. Most affected individuals don't even know that some wrong-doing occurred, they wouldn't gain anything if they couldn't join a class, and corporations would get away with breaking laws much more frequently.

      Regarding having to opt in

  • Another GitHub user notified Capital One, which subsequently notified the FBI.

    So, was GitHub ever notified of the data being on their platform?

    When did this GitHub user notify Capital One? Did they notify GitHub too? This is the important question, if GitHub was notified in April, then yeah, they're on the hook for this too. Also, if Capital One was notified in April, did they notify GitHub? What about the FBI? Did they notify GitHub?

    Seems goofy GitHub is on the hook for this, given what limited information we have. A lot of failure here with people neglecting to tell GitHub (f

  • Ignoring the misconfigured firewall, which is negligent, why was the data stored in a non-encrypted format? Regardless of the importance of the information, all data on a server should be stored encrypted, and inside encrypted containers, at a minimum. If a server does get breached, it shouldn't really matter, as the data should never be left in a readable format, to maximize data protection and to minimum the effect of the breach, to do other wise, should be seen as legal negligence on the part of the co
  • Most of Slashdotters know that Github is not responsible for user content on its service.

    But for the lawyers, it does not matter ...

    See, Github is now owned by Microsoft, and that means big bucks, probably before the matter goes on trial.

    That is why Github is named in the suit.

    • by nadass ( 3963991 )
      Except Microsoft will quickly petition to have themselves removed from the lawsuit due to GitHub having no active role in the breach.

      Secondly, the hacker's primary home appears to have been GitLab this whole time, not GitHub. Just sayin'...
  • by jisom ( 113338 )

    What about Amazon? It was there server and employee.

    • by gtall ( 79522 )

      Their former employee, otherwise we wonder where you are pointing.

  • to enrich themselves. In class action suits the class gets little and the lawyer gets rich with other peoples money.

    Most class action law suits are a joke.

    Just my 2 cents ;)
  • As Github wasn't the actual poster they seem to fall squarely in the CDA section 230 safe harbor. We've been here people. Doesn't matter if it's copyright infringement or hacked info.

No spitting on the Bus! Thank you, The Mgt.

Working...