Last week, Capital One revealed it was subject to a major data breach due to a configuration vulnerability in its firewall to access its Amazon S3 database, affecting 106 million users in the US and Canada. A week after the breach, not only Capital One, but GitHub and Amazon are also facing scrutiny for their inadvertent role in the breach.
Capital One and GitHub sued in California
Last week, the law firm Tycko & Zavareei LLP filed a lawsuit in California’s federal district court on behalf of their plaintiffs Seth Zielicke and Aimee Aballo. Both plaintiffs claim Capital One and GitHub were unable to protect user’s personal data. The complaint highlighted that Paige A. Thompson, the alleged hacker stole the data in March, posted about the theft on GitHub in April.
According to the lawsuit, “As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on or by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months.”
The law firm also alleged that with the help of computer logs, Capital One should have known about the data breach when the information was first stolen in March. They “criticized Capital One for not taking action to respond to the breach until last month,” The Hill reports.
The lawsuit also alleges that GitHub “encourages (at least) friendly hacking.” “GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information,” the lawsuit further mentions.
According to Newsweek, GitHub also violated the federal Wiretap Act, “which permits civil recovery for those whose ‘wire, oral, or electronic communication’ has been ‘intercepted, disclosed, or intentionally used’ in violation of, inter alia, the Wiretap Act.”
A GitHub spokesperson told Newsweek, “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.” “The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request,” the spokesperson further added.
On 30th July, New York Attorney General, Letitia James also announced that her office is opening an investigation into the Capital One data breach. “My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences,” James said in a statement.
Many are confused about why a lawsuit was filed against GitHub as they believe that GitHub is not at fault. Tony Webster, a journalist, and a public records researcher tweeted, “I genuinely can’t tell if this lawsuit is incompetence or malice. GitHub owed no duty to CapitalOne customers. This would be like suing a burglar’s landlord because they didn’t detect and stop their tenant from selling your stolen TV from their apartment.”
Will have to see how Captial One vs Github lawsuit plays out, but imagine telcos being sued for malicious activiites on networks, or Amazon being sued for allowing misconfigured S3 to remain online. This will be an interesting case to track. Contract & usage terms will be key.
— Rick Holland @ Summer Camp (@rickhholland) August 3, 2019
The absolute batshittery. Was GitHub supposed to proactively remove every nine-digit string of numbers on /a coding site/?
Hey, you know what else is a nine-digit string of numbers? A phone number. You know, like those belonging to every coder who uses GitHub as a resume. pic.twitter.com/NjyjTKmaUc
— H. Poteat (@NSQE) August 3, 2019
Lawsuit filed against GitHub in wake of Capital One data breach https://t.co/N0xVaVIODk <- GitHub being included in this is incredibly dumb. In no way was this GitHub’s fault. pic.twitter.com/RoDcZgfUCH
— Justin (@xxdesmus) August 3, 2019
A user on HackerNews writes, “This is incredible: they’re suggesting that, in the same way that YouTube has content moderators, GitHub should moderate every repository that has a 9-digit sequence. They also say that GitHub “promotes hacking” without any nuance regarding modern usage of the word, and they claim that GitHub had a “duty” to put processes in place to monitor submitted content, and that by not having such processes they were in violation of their own terms of service. I hope that this gets thrown out. If not, it could have severe consequences for any site hosting user-generated content.”
Read the lawsuit to know more about this news in detail.
U.S. Senator’s letter to Amazon CEO raises questions on the security of AWS products
The letter has put forth questions to understand how the configuration error occurs and what measures is Amazon taking to protect its customers. The Journal reported, “more than 800 Amazon users were found vulnerable to a similar configuration error, according to a partial scan of cloud users, conducted in February by a security researcher.”
According to the Senator’s letter, “When a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices.” “However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer and whether the company that makes it shares responsibility for the breaches,” the letter further mentions.
Jeff Bezos has been asked to reply to these questions by August 13, 2019. “Amazon has said that its cloud products weren’t the cause of the breach and that it provides tools to alert customers when data is being improperly accessed,” WSJ reports. Capital One did not comment on this news.
Read the complete letter to know more in detail.