While Capital One is certainly getting their fair share of lawsuits, it seems GitHub has somehow managed to receive one over the breach as well.
The Capital One data breach story is continuing. Late last month, we reported on the 100 million customer data breach at the credit card company. In the wake of the major data breach, a class action lawsuit was filed against Capital One in the United States. Shortly after, another lawsuit was filed against the company in Vancouver, Canada.
Now, the story is taking a rather curious turn. Reports are surfacing that GitHub is also being hit with a lawsuit in relation to the breach. If your reaction is, “What does GitHub have to do with the Capital One data breach?”, well that was our reaction as well. According to The Hill, it’s because the now arrested hacker posted the stolen data on the site. From the report:
The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach.
The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data.
Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI.
“As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on or by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months,” the law firm alleged in its complaint against GitHub and Capital One.
Now, especially if you are an American reader, you might be wondering if sites have immunity from the actions of their users. In that case, you are likely thinking of Section 230 of the Communications Decency Act. According to the Wikipedia entry, there is protections afforded to web services whenever the actions of their users might be breaking the law:
Section 230 of the Communications Decency Act of 1996 (a common name for Title V of the Telecommunications Act of 1996) is a landmark piece of Internet legislation in the United States, codified at 47 U.S.C. § 230. Section 230(c)(1) provides immunity from liability for providers and users of an “interactive computer service” who publish information provided by third-party users:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
In analyzing the availability of the immunity offered by this provision, courts generally apply a three-prong test. A defendant must satisfy each of the three prongs to gain the benefit of the immunity:
1. The defendant must be a “provider or user” of an “interactive computer service.”
2. The cause of action asserted by the plaintiff must treat the defendant as the “publisher or speaker” of the harmful information at issue.
3. The information must be “provided by another information content provider,” i.e., the defendant must not be the “information content provider” of the harmful information at issue.So, it’s not as though GitHub doesn’t have a way of defending itself here. Whether or not the case will really get far or if precedence is really set remains unclear. Still, it’s rather curious how GitHub managed to even get in the middle of any of this.
Drew Wilson on Twitter: @icecube85 and Facebook.