A class action law suit brought on behalf of victims of the massive Capital One data breach has accused GitHub of encouraging hacking and of negligence by allowing stolen personal data to be posted to the code repo.

GitHub has rubbished the claims, saying it had promptly removed the data in question, and that it did not actually contain personal details.

The data breach saw personal information on 106 million credit card applicants in the US and Canada lifted from Capital One’s cloud storage buckets between March and July 17 this year.

A Seattle-based software engineer has been arrested by the FBI and charged with violating the US’ Computer Fraud and Abuse Act.

Inevitably, class action lawyers have fixed on the case, fingering GitHub alongside Capital One. A class action suit filed by Tycko & Zavareei, on behalf of aggrieved Capital One customers, noted that “(“the hacker”) posted this Personal Information on GitHub.com, GitHub’s website, which encourages (at least friendly) hacking and which is publicly available”.

“As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on and by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months,” the suit claims.

It added that, “Capital One did not even begin to investigate the data breach until or around July 17, 2019, when it received an email apparently from a GitHub.com user alerting Capital One that there “appear[ed] to be some leaked” customer data publicly available on GitHub.com.”

Even then, the suit continues, GitHub did not “suspend the hacker’s GitHub account or access to the site, even though it knew or should have known that the hacker had breached GitHub’s own Terms of Service”.

Elsewhere the suit says, “GitHub knew or should have known that obviously hacked data had been posted to GitHub.com. Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia, GitHub.com’s “Awesome Hacking” page.”

Consequently, the plaintiffs have brought up claims of negligence and negligence per se against both Capital One and GitHub, as well as violation of the Wiretap Act against GitHub and other charges.

As a result, the suit demands, amongst other things, “statutory damages, trebled, and punitive or exemplary damages, to the extent permitted by law” as well as “the costs and disbursements of the action, along with reasonable attorneys’ fees, costs, and expenses” and any other relief that may be appropriate.

For its part, GitHub said in a statement: “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information”. 

It added, “We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”