Capital One and GitHub are being sued in wake of massive data breach

Capital One revealed earlier this week that the bank account numbers and social security numbers of more than 100 million customers were hacked.

A class action lawsuit on behalf of affected customers was filed Thursday against Capital One and GitHub, a code-sharing platform for developers, where the hacker had allegedly posted the stolen information.

The lawsuit alleges negligence on the the two companies' part for failing to “exercise reasonable care” in protecting customers' personal information from being compromised or stolen.

The lawyer representing customers told Business Insider that the companies “shirked their duty” in protecting people's data, and need to be held responsible for the data breach.

Capital One and the Microsoft-owned GitHub are facing a class action lawsuit over allegations of not doing enough to protect the personal information of more than 100 million bank customers who were affected by a massive data breach.

The lawsuit was filed Thursday in federal district court on behalf of plaintiffs Aimee Aballo and Seth Zielicke, though if granted class action status, it could include the 106 million Capital One customers who the bank revealed this week were affected by the breach in question.

The lawsuit alleges that both companies should be held responsible for failing to “exercise reasonable care” in “safeguarding and protecting the Personal Information of Plaintiffs and the Class,” although Capital One has yet to notify the customers whose information was compromised.

“This is the kind of the result of negligence from two companies who are sophisticated and should've done better,” Sabita Soneji, the lead lawyer for the plaintiffs, told Business Insider. “They shirked their duty to protect this data.”

Although the massive data breach came to light this week, customer information was accessed back in March, according to the original criminal complaint in the case. That same complaint indicated that Capital One only found out about the data breach because of an email tip earlier this month from an “external security researcher” who found customer data published on GitHub, a Microsoft-owned platform for developers to share code.

The documents also say that the alleged hacker in this case, a former Amazon Web Services employee named Paige Thompson, had bragged about stealing the Capital One data on her GitHub page.

The lawsuit argues that GitHub should have been able to identify and remove “obviously-hacked data” that was posted on its website. Instead, the data sat on a “publicly-available website” for nearly three months before a user reported it to Capital One, the lawsuit claims.

Furthermore, the lawsuit faults GitHub for not having content moderators — similar to those at Facebook, YouTube and Twitter — whose jobs are to monitor their platforms for posts and behavior that violate policies and should be taken down. If GitHub had such moderators, identifying something as simple as nine-digit social security numbers would be much easier to identify, the lawsuit alleges.

“Having the duty to monitor your site still applies. This is a place that encourages developers to leave data and code,” lead lawyer Soneji told Business Insider. “If they're hosting a platform, they ought to do better.”

The lawsuit also points out that Capital One reported data breaches in November 2014, August 2017, and February 2018.

“Plaintiffs and Class Members were foreseeable victims of Capital One's inadequate data security practices and in fact suffered damages caused by Capital One's breaches of their duties,” the lawsuit says.

The lawsuit says that the plaintiffs are looking for “compensatory, consequential, general, and nominal damages” of at least $5 million, according to court documents.

Neither Capital One nor Microsoft, which owns Github, responded to Business Insider's request for comment.