
Lawsuit filed against GitHub in wake of Capital One data breach - danso
https://thehill.com/policy/cybersecurity/455993-lawsuit-filed-against-github-in-wake-of-capital-one-data-breach
======
jedberg
As my lawyer friend said, a good class action is a lawyer’s startup. Litigate
one good one and you’re set for life.

In a case like this, you have to be the first to file so that everyone else
gets merged with yours.

It’s sort of sad that they were so quick on this but that’s why.

------
jchw
Is the allegation that Github was just supposed to know about this? I am sure
it’s plenty busy trying to keep up with reports, less proactively seeking out
questionable content. What’s next, should there be lawsuits against Pastebin
sites?

~~~
deathanatos
(IANAL) Seems to be that yeah, GitHub should have known. I'd recommend going
to the complaint[1] and skipping the news article. So, the complaint
states[1],

> _This outside individual (“the hacker”) posted this Personal Information on
> GitHub.com, GitHub’s website, which encourages (at least friendly) hacking
> and which is publicly available. As a result of GitHub’s failure to monitor,
> remove, or otherwise recognize and act upon obviously-hacked data that was
> displayed, disclosed, and used on and by GitHub and its website, the
> Personal Information sat on GitHub.com for nearly three months._

First, I do not like that the lawyers are punning between hacker "a person who
uses computers to gain unauthorized access to data" ("the hacker") and hacker
"an enthusiastic and skillful computer programmer or user" ("GitHub's website,
which encourages […] hacking").

They allege it was the actual data posted:

> _Not surprisingly, therefore, the hacker, a software developer, posted the
> breached data on GitHub.com_

This part is interesting:

> _According to the timestamp on the file containing certain Capital One
> customers’ breached data, the hacker posted the data on GitHub.com on or
> about April 21, 2019._

Because AFAIK, GitHub does not display upload times on its website, so I'm
curious how the plaintiffs came to this conclusion. IIRC, the times that
GitHub displays, e.g., in its listing of files are the times in the _git_
data, which do not necessarily reflect the time the data was first uploaded to
GitHub. (E.g., compare that a commit has a commit timestamp, but you can
commit, wait 2 days, and then upload the commit to GitHub.)

> _Nevertheless, Capital One did not even begin to investigate the data breach
> until or around July 17, 2019, when it received an email apparently from a
> GitHub.com user alerting Capital One that there “appear[ed] to be some
> leaked” customer data publicly available on GitHub.com._

> _GitHub, meanwhile, never alerted any victims that their highly sensitive
> Personal Information—including Social Security numbers—was displayed on its
> site, GitHub.com. Nor did GitHub timely remove the obviously hacked data.
> Instead, the hacked data was available on GitHub.com for three months._

> _22\. GitHub apparently did not even suspend the hacker’s GitHub account or
> access to the site, even though it knew or should have known that the hacker
> had breached GitHub’s own Terms of Service, which state that: “GitHub has
> the right to suspend or terminate [a user’s] access to all or any part of
> the [GitHub.com] Website at any time, with or without cause, with or without
> notice, effective immediately.”_

It seems likely that GitHub wasn't aware. Nowhere in the complaint do I see
where GitHub is made aware of this issue prior to it being public.

This part is interesting:

> _28\. GitHub had an obligation, under California law, to keep off (or to
> remove from) its site Social Security numbers and other Personal
> Information._

> _29\. Further, pursuant to established industry standards, GitHub had an
> obligation to keep off (or to remove from) its site Social Security numbers
> and other Personal Information._

I don't know if "established industry standards" holds up in court, but the 28
there is interesting. Lawyers writing this complaint, y u no cite what _part_
of CA law? CA's law is actually really easy to browse/lookup if you know what
code and what section you're looking for.

[1]:
[https://www.dropbox.com/s/cjdflk7rh4z8ery/TZ_GitHub_CapitalO...](https://www.dropbox.com/s/cjdflk7rh4z8ery/TZ_GitHub_CapitalOne_FINAL_Complaint_8_1_19.pdf?dl=0)

~~~
otakucode
If the 'established industry standards' were real, they would hold up in
court. Software has no established industry standards. This has been an issue
in many court cases. There are many "standards" but none of them are official
which results in any claims of negligence when it comes to software, no matter
how egregious the behavior was, failing. We saw this with the Toyota
'unintended acceleration' scandal. The court acknowledged that out of 90+
automotive industry 'recommended' and 'suggested' coding practices, Toyota's
code only followed 4. They acknowledged that Toyota let software engineers
play no role in deciding scheduling. They acknowledged that Toyota software
engineers did not have static analysis and other tools, or even a bug tracker.
But, the court had to find them not guilty of criminal negligence because
there simply aren't any legal standards or regulations which they could be
said to be negligent of.

If you were building a bridge and you hired unqualified engineers, deprived
them of tools they needed, ignored them when it came time to determine
scheduling, didn't follow established regulations and standards, etc, the
companies executives would be prosecuted for criminal negligence and be sent
to prison. If software is involved, however, the situation couldn't be more
different. It's an issue that has been debated for well over a decade in the
ACM at least. Companies don't want to have to pay more for talent, and most
software engineers don't want to raise the barrier to entry. The real danger
is that if the software industry waits too long to establish some way of
handling these issues, some public tragedy will inspire a kneejerk government
response that results in a suffocating set of standards that makes everyone
unhappy.

~~~
lonelappde
How is a Toyota car not "automotive engineering", regardless of whether the
flaw was hardware or software?

------
mmaunder
Why not sue Cisco for transiting the stolen data on routers they made?

~~~
jsty
Don't give the MPAA / RIAA any ideas ...

------
kyledrake
I believe this is covered by Section 230. Would expect to see this thrown out,
but law is crazy so who knows.

[https://en.wikipedia.org/wiki/Section_230_of_the_Communicati...](https://en.wikipedia.org/wiki/Section_230_of_the_Communications_Decency_Act)

------
btown
This is incredible: they're suggesting that, in the same way that YouTube has
content moderators, GitHub should moderate every repository that has a 9-digit
sequence. They also say that GitHub "promotes hacking" without any nuance
regarding modern usage of the word, and they claim that GitHub had a "duty" to
put processes in place to monitor submitted content, and that by not having
such processes they were in violation of their own terms of service.

I hope that this gets thrown out. If not, it could have severe consequences
for any site hosting user-generated content.

~~~
dharmab
Reminds me of the time our security team tried to add a hook preventing any
high-entropy strings from being pushed to git. It lasted half a day, since
they forgot about public keys, UUIDs, hex codes...

~~~
daveFNbuck
I've added a few hooks to try to improve code quality over the years. I can't
imagine doing that without first running it over the whole repo to make sure
it wasn't flagging good code and cleaning up any legitimate bad code that was
caught.

~~~
dharmab
Our code quality checks run as a CI make target instead of a hook. We then
have our repo set up to disallow direct push- everything has to go through a
PR and therefore CI.

~~~
daveFNbuck
Either way, it's important to validate the checks on existing code before
making them a blocker.

~~~
dharmab
Yes, which is why I like the make target method. You can make the target apply
to new files exclusively at first, then incrementally add old files as they
are touched in the course of normal work.

------
ldoughty
I hope I can claim another $10,000,000/500,000,000 = jack shit from my PII
being released again!

------
sigzero
Frivolous. Throw it out.

------
wrong_variable
Most websites and their owners on the internet are broke.

Github is flush with cash ( relatively speaking ).

Makes sense why they would go after them ( Microsoft ) , not that it will
stick.

~~~
rectang
They learned from the Steve Dallas example of suing Nikolta Camera:

[https://www.gocomics.com/bloomcounty/1986/06/22/](https://www.gocomics.com/bloomcounty/1986/06/22/)

------
deegovee
But Why to sue Amazon?

