Aug 09, 2019

Class-action lawsuit filed against GitHub for hosting instructions to hack Capital One

Last week GitHub and Capital One were accused of negligence in the recent exposure of 106 million individuals’ personal data. The perpetrator behind the attack, a former AWS engineer, was arrested by the FBI for unlawfully gaining access to Capital One’s AWS S3 bucket to copy customer data, in violation of the US Computer Fraud and Abuse Act. The hacker was able to bypass a misconfigured web application firewall to steal roughly 140,000 US Social Security numbers, 80,000 bank account numbers, and 1 million Canadian social insurance numbers. Capital One only discovered the breach after a GitHub user alerted them to a GitHub post documenting the attack.

The hacker created a GitHub Gist post that included instructions on how to download Capital One's customer data and shared those instructions with her friends. GitHub argued that the post contained no Social Security numbers, bank account information, or other stolen data. The Gist, however, did contain content with information about the methods used to steal the data, which GitHub took down once notified by Capital One.

The lawsuit accuses GitHub of "failure to monitor, remove or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed and used on and by GitHub and its website" and, as a result, "the Personal Information sat on for nearly three months."

GitHub takes a passive role in policing content on its platform, preferring to remove content only when requested by a third party. Should GitHub be required to scan for potentially illegal content—similar to how Facebook and Twitter operate — or will that interfere with its reputation as an open platform? GitHub can actively scan repositories for vulnerabilities and private package credentials, leaving open the possibility that code could potentially be analyzed in other ways, such as flagging hackers with malicious intent. As GitHub gets smarter at helping developers patch code vulnerabilities, expect greater pressure from the world beyond the repository platform to take greater responsibility for containing data breaches and other security issues.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.