Paige Thompson, a Seattle-based software engineer behind the hack, had allegedly posted details about the Capital One data hack on the code-sharing site, GitHub. Now, the law firm Tycko & Zavareei LLP have filed a class-action lawsuit against Capital One and GitHub on behalf of those affected by the breach, alleging that both companies were negligent in safeguarding customers data and privacy. The 28-page lawsuit filed on Thursday in the U.S. District Court for the Northern District of California claimed that GitHub “actively encourages (least) friendly hacking.” “GitHub had a duty under California law to keep (or remove) the site’s social security number and other personal information,” the law firm said in its complaint against GitHub and Capital One. It also says that GitHub violated the federal Wiretap Act, “which permits civil recovery for those whose ‘wire, oral, or electronic communication’ has been ‘intercepted, disclosed, or intentionally used’ in violation of, inter alia, the Wiretap Act.” “As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on or by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months,” the law firm said in its complaint against GitHub and Capital One. The lawsuit further alleges that details about Capital One hack were available from April 21, 2019, to mid-July before they were taken down. The computer logs “demonstrate that Capital One knew or should have known” about the data breach when it took place in March. However, the company failed to take any action against the breach until last month resulting in violation of state law to remove the information. Responding to the lawsuit, a spokesperson for GitHub in a statement to The Hill said that “GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.” The spokesperson added that “the file posted to GitHub did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving the request.” Thompson was arrested earlier this week and has been charged with one count of data fraud and abuse. She could face up to 5 years in prison and a $250,000 fine.
