Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Capital One Data Breach Spurs More Lawsuits
GitHub Also Sued for Allegedly Not Removing Data Related to IntrusionMore lawsuits have been filed in the wake of the Capital One breach that exposed the data of more than 100 million individuals. GitHub is also a target of one of those lawsuits, which alleges the code-sharing site failed to promptly remove breached data.
See Also: Gartner Guide for Digital Forensics and Incident Response
A Vancouver-based law firm filed a class action lawsuit against Capital One on Friday on behalf of affected customers who live in Canada. A case filed in a federal court in California Thursday looks to hold both Capital One and GitHub responsible for exposing customer data.
When the FBI arrested Page A. Thompson, 33, on July 29 and charged her with hacking into Capital One and allegedly exposing the customer data, court papers related to the case indicated that she posted some information about the intrusion on GitHub (see: Woman Arrested in Massive Capital One Data Breach).
"As a result of GitHub’s failure to monitor, remove or otherwise recognize and act upon obviously hacked data that was displayed, disclosed and used on and by GitHub and its website, the personal information sat on GitHub.com," according to the California lawsuit. It claims that GitHub promoted hacking activities and that it violated data privacy norms, including the U.S. Federal Trade Commission Act, the federal Wiretap Act and California's civil code.
A spokesperson for GitHub tells Information Security Media Group that it investigates suspected illegal content brought to its attention and removes it if it violates the company's terms of service.
"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information or any other reportedly stolen personal information," the spokesperson says. "We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."
Several other lawsuits were filed shortly after the announcement of the arrest in the case.
For example, a law firm filed a suit in federal court in Virginia on behalf of about 1 million of the bank's customers, Forbes reports. And in Connecticut, another lawsuit is seeking compensation on behalf of bank customers and other victims, according to the National Law Journal.
A Capital One spokesperson did not immediately reply to a request for comment on the lawsuits.
Meanwhile, the New York attorney general's office had launched a breach investigation (see: NY Attorney General Investigates Capital One; Lawsuits Loom )
Breach Incident
The lawsuits follow the arrest of Thompson, who lives in the Seattle area, by the FBI last week. She is charged with one count of computer fraud and abuse, according to a criminal complaint filed in federal court.
The breach, which occurred sometime between March 12 and July 17, allegedly involved Thompson accessing sensitive user data through compromised firewall settings, which apparently allowed her to access data in 700 files from one of Capital One's Amazon Web Services S3 buckets. The intrusion, however, only came to the notice of Capital One's security team when it received an email warning about the presence of data in GitHub as well as social media, according to the court documents.
The exposed bank data included certain details about 100 million individuals in the U.S. as well as data on nearly 6 million residents of Canada, according to the FBI and court documents.
Canadian Lawsuit
Ted Charney, the lead counsel of Ontario-based firm Charney Lawyers, told the CBC that the plaintiffs his firm represents in the lawsuit filed in Vancouver have sustained a financial loss or faced other monetary setbacks as a result of the Capital One breach. He says that those customers who haven't faced an immediate financial loss also should be compensated for a lesser amount depending on how much time they are forced to respond to the breach.
"The type of account information that Capital One collected is quite sensitive and it may be much more extensive than originally thought," Charney told CBC. "We thought it was prudent to get the claim out there so that ... we can start to collect information about what's happening out there to people and be ready to move forward with this if it turns out that it's as significant as some people and some government institutions think it will be."
GitHub’s Inaction Cited
In the California lawsuit against Capital One and GitHub, attorneys allege GitHub failed to quickly take down the sensitive user data despite the hacker directly posting the content to a page on the site. The suit claims that data was publicly accessible from its time of uploading on April 21 to mid-July. The lawsuit also alleges that GitHub promotes hacking and makes resources for fraudulent activities readily available.
"GitHub knew or should have known that obviously hacked data had been posted to GitHub.com. Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, interalia, GitHub.com's 'Awesome Hacking' page," according to the lawsuit.
By allowing for sensitive user information such as Social Security numbers and other personal information to be on the site, the lawsuit alleges, GitHub violated California's civil code as well as several federal statutes related to intercepting and disclosing electronic communications.
The California lawsuit also claims that Capital One failed to keep consumers’ data safe and protected from hackers, and it claims the bank did not investigate the breach as quickly as it could. It demands unspecified compensation from Capital One and GitHub.