On July 29, Capital One disclosed it suffered a data breach that exposed the records of 106 million of its customers. Last Thursday, two of the bank’s members filed a class-action suit on behalf of all the consumers affected by the hack. However, the plaintiffs also sued GitHub for not “exercising reasonable care” to protect the victims of the leak.
Why Capital One Customers are Suing GitHub
Notably, Capital One system administrators didn’t discover the data breach. Instead, a GitHub user informed the bank another of the service’s customers posted details about the then-unknown data breach. Ultimately, the Federal Bureau of Investigation (FBI) charged former Amazon systems engineer Paige Thompson with compromising the financial institution’s cybersecurity.
On Thursday, Aimee Aballo and Seth Zielicke filed suit against Capital One and GitHub for failing to protect their personal information and the private data of 106 million other bank customers. The plaintiffs allege the bank’s cybersecurity was dangerously lax. As evidence, the filing cites the fact that the financial services company has experienced data breaches in November 2014, August 2017, and February 2018.
That pair are suing GitHub because they believe the firm facilitated the hack. The duo claims the firm “actively encourages” hacking by hosting repositories with names like “Awesome Hacking.”
Furthermore, the plaintiffs argue that the Microsoft subsidiary didn’t act quick enough to take down files containing stolen user data.
Aballo and Zielicke’s court filing notes the Capital One hacker uploaded files related to their crime to GitHub in April. But the litigants allege, the firm didn’t take it down until July. As such, the pair argues if the platform employed moderators, it could’ve identified the personal data much faster. In particular, the litigants note human oversight would’ve noticed the upload of several Social Security numbers because of their sequence.
The plaintiffs’ lawsuit notes they are seeking damages of at least $5 million.
A GitHub spokesman told ZDNet that no Capital One consumer information got uploaded to its servers. Furthermore, the representative noted the company “promptly” took action to take down the file detailing the bank hack.
Why the Lawsuit Against GitHub Probably Won’t Succeed
Though the class-action suit against Capital One may prevail, the legal action against GitHub probably won’t succeed. In the United States, Section 230 of the Communications Decency Act protects tech companies from being held liable for the content users post on their platforms. As such, the act protects Facebook from being sued when terrorists use the platform to plan their actions.
Consequently, GitHub’s attorneys could argue that Section 230 applies to repositories the same way it applies to social networks. Besides, the company could say it acted responsibly by quickly acting upon Capital One’s takedown request. Indeed, to win their claim, Aballo and Zielicke’s attorneys would need to append almost two decades of legal precedent.
Also, as the platform hosts 37 million users and 96 million repositories, it seems unreasonable to expect it to instantaneously review and take down all files that feature nine-digit fixed number sequences.