GitHub and Capital One Sued Over Failure to Protect Sensitive Customer Data

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
image source: github.com

Last week, we reported about Capital One suffering a data breach that resulted in the leaking of highly sensitive data of 106 million US and Canada citizens. According to what FBI stated, the hacker behind the breach had already been arrested and is identified as Paige Thompson, a former Amazon employee from Seattle. After stealing the data, the hacker moved to GitHub.com, where she boasted about her access to the bank’s network and openly shared the data by posting them in a GitHub repository named “Awesome Hacking”.

This has resulted in a lawsuit being submitted by Tycko & Zavareei LLP to the California District Court on behalf of Seth Zielicke and Aimee Aballo. The complaint is against Capital One and GitHub, and both are facing the music because they have failed to safeguard the sensitive information of the plaintiffs. GitHub is accused of negligence, encouraging of hacking, and failure to implement processes that would detect and remove publications of leaked confidential information in a timely manner. As the lawsuit writes, GitHub knew or should have known that the PII (personal identifying information) of the plaintiffs was sensitive information and could result in serious harms for the affected people if disclosed. As the complaint correctly points out, this comes in direct opposition to GitHub’s own Terms of Service, let alone federal (Wiretap Act) and state regulations (two Californian Civil Codes).

While the content has been removed by GitHub upon the reception of the associated notice from Capital One, the plaintiffs consider the time taken for the removal as overly excessive, and more than enough for their PII to be propagated to many more malicious actors that could have visited the “Awesome Hacking!” repository in the meantime. Still, GitHub maintains that no sensitive data such as bank account details, social security numbers, or any other critical information was shared through the particular repository.

The plaintiffs demand a trial by jury, the awarding of statutory damages, as well as exemplary damages. Reasonable attorney fees and all relevant expenses are also included in the prayer for relief. What the California court will decide now remains to be seen, but with the number of people who have found themselves in a dire position due to this recent breach, the total sum of the awarded damages could reach an overwhelming amount, and one that would put GitHub into serious trouble.

Do you think that targeting GitHub is fair in this case, or was there nothing that the developer portal could do in order to prevent the information from leaking further out? Let us know of your comments in the section down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: