Class-action sueball flung at Capital One and GitHub over theft of 106 million folks' details

Code repository GitHub and credit-card-flinger Capital One are facing down a potential class-action lawsuit in the US accusing them of negligence over the loss of 106 million individuals' personal data.

Capital One is accused of failing to take appropriate action to secure its Amazon-hosted cloud storage, while Microsoftie GitHub, or so the lawsuit claims, is alleged to have been negligent in leaving blueprints laying around on its website on how to siphon Capital One's customer data.

Late last month, a former Amazon Web Services' engineer was arrested and charged with breaking into Capital One's AWS S3 buckets to steal a copy of more than 100 million credit card applicants' personal details. It is claimed the suspected thief wrote a GitHub Gist post that included instructions on how to download Capital One' customer data and shared those instructions with her pals.

Fast forward to August 1, and here we have this class-action lawsuit, brought to California's courts by two customers, Aimee Aballo and Seth Zielicke, and lawyers Tycko & Zafareei, on behalf of anyone else affected by the breach.

The complaint (PDF) accuses GitHub of "failure to monitor, remove or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed and used on and by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months."

The document accuses Capital One of enthusiastically embracing the cloud while failing to pay proper attention to security concerns, saying that the bank should have been aware of the breach of its AWS-hosted database as early as 12 March.

Capital One, for its part, said it was unaware of any breach until about 19 July and that it took immediate action to secure its systems. The financial giant said that the FBI has arrested the person responsible. The filings allege this person is an ex-AWS employee and that the Capital One was alerted to the breach by a GitHub user emailing the bank's tip-off address.

The lawyers claim GitHub could have relatively easily spotted data like social security numbers because of their standard formatting and suggested GitHub employ content moderators like Facebook and YouTube.

But a GitHub spokesperson told us: "GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service.

"The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information.

"We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."

America's Congress has also weighed in. The House of Representatives Committee on Oversight and Reform has written to Capital One (PDF) requesting a full briefing on the loss and the bank's response before 15 August.

We've emailed Capital One, and will update this story if we get a response. ®