Lawsuit Filed Against GitHub In Wake of Capital One Data Breach (thehill.com) 92
An anonymous reader quotes a report from The Hill: Capital One and GitHub have been hit with a class-action lawsuit over the recent data breach that resulted in the data of over 100 million Capital One customers being exposed. The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach. The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data.
Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada. The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week. Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI. The law firm also alleged that computer logs "demonstrate that Capital One knew or should have known" about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.
Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited. The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada. The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week. Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI. The law firm also alleged that computer logs "demonstrate that Capital One knew or should have known" about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.
Hmmm (Score:5, Insightful)
Was GitHub responsible in any way for the hack? If not, then how is it illegal to publish said information even if they knew about it? Especially if they knew about it?
GitHub has a tool to detect it, didn't for three m (Score:5, Interesting)
GitHub has a tool designed to detect such things. At least if the data wasn't encrypted, I'm not sure if it was in this case. GitHub distributed the data on their site for three months. Plaintiffs argue that GitHub was negligent in having the data available for so long and not shutting off access or taking other appropriate action.
Capital One has a strong security team, and obviously someone messed up in this case. Cap One could probably do some things to make better use of their security team. I've shown things to the Capital One security folks and they've said "wow that's not cool. I'm going to talk to the appropriate people about that tomorrow."
My *impression* is that the great people who do security for Cap One can only *suggest* that doing XYZ is a bad idea, they may lack authority. I could be wrong about that.
Re: (Score:1)
Or they had more sense and tried the 'quetly quietly' approach hoping nobody would notice the breach. Quite cost effective if it works so I believe.
Oh, people found out though. So whatever fine is levied should be doubled. Once for having the breach, then once for trying 'quietly quietly'.
Does that bankrupt the company? Don't care. If it does it does. At least other management types would start taking notice about computer security instead of the 'The IT department is the lowest part of the company so th
Re: GitHub has a tool to detect it, didn't for thr (Score:1)
I don't disagree with you but you are describing the polar opposite of the current situation. CxOs get the most favorable contracts known to man. They get all of the enrichment and none of the fallout. I have little faith that corporations or regulators are going to do a 180 anytime soon. Even if we hacked at the roots of the problem (wealth inequality,
money in politics) for years it wouldn't get to what you describe, very depressing.
More facts are needed (Score:3)
I'm withholding judgement re the executives until I have more information. The C suite did decide to spend a decent amount of money on several security teams, hiring good people. That's basically what the top executives do - decide how much money to spend on what. And this happened.
In my view, more details are needed in order to make decisions about who made what bad decisions.
Re:GitHub has a tool to detect it, didn't for thre (Score:5, Informative)
So the moral of the story is to not bother trying to detect things, because if you fail, some weepy cunt will take exception at you not hiring ten thousand idiots to goosestep through everyone's repositories and conversations.
Re: (Score:1)
Re: (Score:3)
"Plaintiffs argue that GitHub was negligent in having the data available for so long and not shutting off access or taking other appropriate action."
Plaintiffs were negligent for not protecting their data, and want others to do it for them. Having a tool which attempts to find this kind of data doesn't make GitHub responsible unless it flagged the data and they ignored it... Which is a good reason not to have such a tool at all, and only remove such information when specifically notified via physical corres
Re: (Score:2)
This is what happens when a business gets bought out by someone with deep pockets- it becomes lawyer-bait. How long until RedHat gets its first big lawsuit because IBM has money money money?
Social failure? Too much distance from detail? (Score:2)
From the parent comment: "I've shown things to the Capital One security folks and they've said 'wow that's not cool. I'm going to talk to the appropriate people about that tomorrow.' "
To me, the smart way to encourage social effectiveness is to require EVERYONE to understand what they are doing.
The story gives the impression that maybe no one knew all the details of proper configuratio
Re: (Score:2, Informative)
Capital One has a strong security team
"We take your security seriously"
-- Every single company ever, right after suffering a massive security breach
No, by definition, they did not have a "strong security team". Hell, they put their customer's data on a cloud service for the love of bacon. There's no defense for that.
If they "had a strong security team", this would not have happened.
We need to start seeing jail time for the execs at the helm. Only then, will "our security be taken seriously".
They have 49,000 employees, 95 million hours (Score:1)
Capital One has 49,000 employees.
Those employees worked 95 million hours last year. One of those hours, somebody messed up.
They definitely need to look into their processes, how this good is possible.
Re: (Score:1)
Non-sequitur. The vast majority of those 49,000 employees have nothing to do with fool choices like "Hey, let's put our customer's data on Amazon's computers! Cloud hey!"
No, this was not some random choice by some bank teller. This was a fundamental dropping of the ball by Capital 1's security. Maybe that fault goes to the upper management and maybe it goes to the security team itself, or maybe it goes to both. But it is their responsibility, and they blew it bad.
Re: (Score:2)
I would guess, given their size and scale, that Capital One make somewhere in the region of several hundred thousand IT changes every year.
I mean, hell, with 49000 employees that's 20000 password resets a year before you even touch the IT systems.
One of those IT changes went wrong. One.
The automated security checking didn't catch it. The change processes didn't catch it. The IT professionals responsible for making the change didn't catch it. The people using the system didn't catch it. Management didn't cat
Re: (Score:2)
Or if they even try to implement strong security, developers start to complain that they have to fill out enless requisition forms and go through months to request a new database server. Or to fix a bug requires filing change request after change request, so that
Re: (Score:2)
Most organizations aren't well defended against insider threats like these. They don't know someone walks out with a thumb-drive containing a copy of their entire database.
It's a common practice in marketing for example that someone takes their customer database with them to their next job or that an engineer or programmer takes their code. Especially in Universities, even students think that the research is "their" data (even HIPAA-protected, medical data) because they did the work and wrote their disserta
Negligency requires duty (Score:1)
Negligence requires a duty in the first place.
Github doesn't have a duty to capital one customers just because they have a scanner. Having a rule that did that would mean nobody would ever write scanners.
"slight care" (Score:2)
There are two legal duties here. GitHub has some duty (and required level of care) to their customer, Capital One. I believe they offered the scanner as a value-added option. That seems reasonable, as it does take CPU and disk resources to constantly scan all of GitHub.
They also owe a duty of "slight care" to everyone. A common example of slight care is if you see someone drop their wallet, you should tell them. If Github knew of the breach, they should have done something about it. I haven't seen any e
Good point (Score:2)
That's true
Re: (Score:2)
My *impression* is that the great people who do security for Cap One can only *suggest* that doing XYZ is a bad idea, they may lack authority. I could be wrong about that.
I think you're wrong about that. Any security team at a financial institution can go straight to the Chief Risk Officer and say, "We have a multi-hundred-million dollar exposure and it'll cost just $200k to remove it."
They'll get $200k.
That's a budget request, not authority (Score:2)
That's not authority.
Btw this is from experience (Score:2)
By the way, I mentioned that because I have experience with both ways large companies handle it. At one company where I worked, which had $24 billion in revenue, nothing got done on production without being signed off by security. Not only could Security prevent something from happening, they could do so with a pocket veto - by not saying anything.
At a large insurance conglomerate where I worked, Security is advisory; they tell the IT people what best practice is. They have no authority to say approve or
Re: (Score:2)
My point is that in the latter scenario, a security team have absolutely all of the authority they need.
That their authority is very soft and indirect doesn't reduce it.
Re: (Score:2)
Just curious, have you ever done this kind of work, on any scale?
Re: (Score:2)
Yes. I've prevented a product targeted at 20 million financial services customers going live despite having zero authority to do so, purely by highlighting the sort of risk that led to Equifax losing 35% of their market capitalisation in a week.
I got thanked for my diligence.
Re: GitHub has a tool to detect it, didn't for thr (Score:2)
Uhh, GitHub didn't have the data. It had a description of how it was obtained posted. No personal data was uploaded to GitHub.
Re: (Score:3)
Was GitHub responsible in any way for the hack?
A cousin of mine is a lawyer. He told me that folks don't sued because they are responsible . . . but because they have money.
For example, if I was accused of sexual harassment at my workplace, I would not get sued, because in lawyer metrics . . . I have no money. My employer would get sued, because they have enough money for lawyers to be interested in.
Now, GitHub is owned by Microsoft . . . who can hire very good, expensive lawyers. So I don't think that this lawsuit against GitHub will go anywhere.
Re: (Score:2)
Re: (Score:2)
FWIW, there was information that suggested that SCO was bankrolled by Microsoft. It sure wasn't proof...but it sure wasn't proof of the other way either. As far as I can remember (of what I read) there wasn't any information that suggested that Microsoft acted to initiate the SCO suit...merely that they saw it as a good way to attack IBM & Linux once it appeared.
I still hate calling that group SCO, because the Santa Cruz Organization was a good company, and continued to be a good company after they so
Re: (Score:2)
What a tool (Score:3)
GitHub is no more responsible for the hack than your local municipality is for bank robbers escaping on public roads.
They took down the data. They're done.
Re: (Score:2)
Re: (Score:2)
I understand the scam perfectly. And really, the only drawback I see to this whole thing is that some lawyers will be paid for unnecessary lawyering. I took my stuff off GitHub already.
Re: (Score:2)
She's no Angelina Jolie [wikipedia.org], that's for sure.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
The Internet: where men are men, women are men, and children are FBI agents.
This is the most true statement I've ever read on the Internet!!!
Re: (Score:1)
Re: (Score:3)
Per the details you posted from the article, it sounds like Github was not notified.
How is Github supposed to "monitor and remove" all suspect data? Especially if 3rd parties don't bother to notify them?
Github is a common carrier, of sorts. That's it's whole point.
Re: (Score:2)
It doesn't say the person posted stolen data, it says they posted about the ability of any person with basic skills to access the data.
The post doesn't say why there's a lawsuit (Score:1)
So GitHub did something wrong and there's a lawsuit for negligence but the post doesn't say what GitHub actually did wrong. I've read it twice and I still don't know what GitHub actually did wrong. I'll click through to a link and see if that clears it up.
it's just because Microsoft owns GitHub (Score:1)
others mentioned it, correctly surmising that it is related to the deep pockets of Microsoft
I also think very likely it's also influenced by all the ire being directed at "tech giants" right now, the plaintiffs probably believe they can leverage that for public support (and they may be right)
and MS could have a problem in that the bank will want to deflect from themselves and will be supported by other banks (and ones like Equifax) because they want to pre-source scapegoats for future incidents
Stupid (Score:3)
Everything about this is stupid. From the hacker who posted that bragged online to the fact that they never even noticed the breach. Honestly though, blaming github for doing what github does (distribute files) is quite the stretch.
Github is Microsoft (Score:1)
Class actions do not benefit the plaintiffs (Score:2)
Yet another class action ^h^h^h^h^h^h^h^h^h^h^h^H money grab.
Class action law is severely flawed by design.
The plaintiffs get coupons, and the legal team bringing the lawsuit gets millions.
It's all about who has the deep pockets and not about the losses the plaintiffs incurred.
Have you seen those class action notices in the mail. They basically state that unless you respond, you'll be limited to the coupons awarded. You have to notify them by mail to be excluded from the award if you want to bring your own
Re: (Score:1)
when you have the chance to form a class action you can set those rules. until then, good luck getting the country to agree to work together to make this a reality. because corporations (or owners of corporations) have a voice too and they will likely object to your low-uid-having-ass
Re: (Score:1)
I'm not a lawyer, but I'm guessing it gets pretty expensive to do the work related to filing and winning / settling a class action. The lawyers awards are a financial incentive to get it done. My guess is that 5% may not be enough, so we'd simply have fewer class actions, if any. Most affected individuals don't even know that some wrong-doing occurred, they wouldn't gain anything if they couldn't join a class, and corporations would get away with breaking laws much more frequently.
Regarding having to opt in
GitHub (Score:2)
Another GitHub user notified Capital One, which subsequently notified the FBI.
So, was GitHub ever notified of the data being on their platform?
When did this GitHub user notify Capital One? Did they notify GitHub too? This is the important question, if GitHub was notified in April, then yeah, they're on the hook for this too. Also, if Capital One was notified in April, did they notify GitHub? What about the FBI? Did they notify GitHub?
Seems goofy GitHub is on the hook for this, given what limited information we have. A lot of failure here with people neglecting to tell GitHub (f
When will the data protection laws get updated? (Score:2)
Re: When will the data protection laws get updated (Score:2)
It was a message posted on GitHub. No actual data was posted at all.
Github = Microsoft = $$$ (Score:2)
Most of Slashdotters know that Github is not responsible for user content on its service.
But for the lawyers, it does not matter ...
See, Github is now owned by Microsoft, and that means big bucks, probably before the matter goes on trial.
That is why Github is named in the suit.
Re: (Score:1)
Secondly, the hacker's primary home appears to have been GitLab this whole time, not GitHub. Just sayin'...
uhh (Score:1)
What about Amazon? It was there server and employee.
Re: (Score:2)
Their former employee, otherwise we wonder where you are pointing.
Re: (Score:2)
Cash is irrelevant. Amazon have substantial assets which can if necessary be sold to raise cash.
Just trial lawyers doing their thing (Score:2)
Most class action law suits are a joke.
Just my 2 cents
CDA 230 (Score:2)
As Github wasn't the actual poster they seem to fall squarely in the CDA section 230 safe harbor. We've been here people. Doesn't matter if it's copyright infringement or hacked info.