back to article Class-action sueball flung at Capital One and GitHub over theft of 106 million folks' details

Code repository GitHub and credit-card-flinger Capital One are facing down a potential class-action lawsuit in the US accusing them of negligence over the loss of 106 million individuals' personal data. Capital One is accused of failing to take appropriate action to secure its Amazon-hosted cloud storage, while Microsoftie …

  1. }{amis}{ Silver badge
    FAIL

    Chuck it all at the wall and see what sticks...

    Given the appalling stuff that FB and others get away with hosting the action against Github is doomed,

    Capital One on the other hand, is about to get a well-deserved thrashing.

    Ther are no excuses for not properly configuring security on cloud resources it's been fingered for info leaks time and time again.

    1. GnuTzu Silver badge

      Re: Chuck it all at the wall and see what sticks...

      We'll soon be seeing this stuff appearing pervasively in lawyer advertising. "Have you are anyone in your family been exposed to... err, had your privates exposed..."

    2. big_D Silver badge

      Re: Chuck it all at the wall and see what sticks...

      Yes, GitHub is a repository, the code there is uploaded by users. I'd be very upset if they randomly started deleting my code, just because it might look like exploit code.

      And, according to the news, the "information" on GitHub was demonstration code on how to compromise the bucket, not data from the bucket.

      When GitHub was informed that they had exploit code, they checked it and removed it from the repository. I don't see that they could do more.

  2. Will Godfrey Silver badge
    WTF?

    How does that worK?

    Github didn't have the actual data, and as soon as they were informed that the means to get it was on their site they removed it. What else were they supposed to do?

    The responsibility is entirely with Capital One.

    1. Captain Scarlet Silver badge
      Unhappy

      Re: How does that worK?

      Simple, these are leeches acting on behalf of themselves and will try and extract money from anyone they can, whilst maybe giving 3p back to the actual people affected.

    2. Anonymous Coward
      Anonymous Coward

      Re: How does that worK?

      So you spent 100's for tickets to a concert that didn't happen, and you're suing me because of an advertisement poster for it plastered on the back side of my building? Because I should have known?

  3. Pascal Monett Silver badge
    Coat

    106 million individuals' personal data

    Remind me again why it is not the police simply carting everyone off to jail on this ?

    Oh, right, silly me. Capital One means money.

    1. s2bu

      Re: 106 million individuals' personal data

      Because having shit security, while bad for business, isn’t exactly criminal. If it was, most of Microsoft’s Windows team would be behind bars by now.

  4. SotarrTheWizard
    Mushroom

    Question is. . .

    . . . .assuming the sueball hits the target, and that we already know the lawyers will eat most of the settlement. . . .

    . . . .why bother ? Suing a big corp only enriches the sharks, not the people who actually got damaged. .

    Personally, I'm waiting to see if I get **ANY** of my US$125. 'settlement' from Equifax. . . and whether I cash the check. . . . or my estate does. . .

    1. FrogsAndChips Silver badge

      Re: Question is. . .

      What about the plaintiffs who brought in the case, do they get a finder's fee? (IANAL, obviously, just asking)

    2. eldakka Silver badge

      Re: Question is. . .

      Suing a big corp only enriches the sharks, not the people who actually got damaged. .

      While the victims should get compensated, even if they don't, if the company responsible has to make a big payout to anyone that isn't itself, then hopefully the activity at the company that led to that payout will cease and other companies that do the same type of thing may clean up their act to avoid having to make the same (if not bigger) payouts.

      Therefore there is value in that at least if nothing else.

      1. SotarrTheWizard

        Re: Question is. . .

        That's cute. Assuming any big organization will change without their feet LITERALLY placed in the fire. . .

  5. Walter Bishop Silver badge
    Terminator

    GitHub sued over data leak?

    I am not a Lawyer, butI fail to see the logic, GitHub provides a file hosting service, a third party, Capital One failed to secure the files as stored in S3 buckets, and blaming an improperly configured firewall is a lame of an excuse.

    1. diodesign (Written by Reg staff) Silver badge

      Re: GitHub sued over data leak?

      The alleged data thief posted details on how to enumerate and download CapitalOne's poorly secured S3 buckets on GitHub. That's about the closest connection.

      C.

      1. Michael B.

        Re: GitHub sued over data leak?

        How utterly bizzare. Why not sue Stackoverflow then for giving the demo code that they probably used to create the sample code?

  6. vtcodger Silver badge
    WTF?

    Whaaaat?

    You telling me that Collecting vast amounts of personal data on members of the public and failing to protect said data can cost you money? In a saner world, that might be a problem for quite some number of high tech business plans. My guess is that not one company or business anywhere -- including Capital One -- will learn anything from this.

    Note that I have a VERY small amount of sympathy for Capital One as unlike Google, Facebook, etc,etc, etc Capital One has an actual NEED to retain some sensitive data on users. I'll reserve any additional sympathy until we see how hard Capital One tried to protect that data and whether their files contained gratuitous customer data unrelated to their banking businesses.

  7. DCFusor Silver badge

    Beginners

    Love the cloud, they fell for the hype.

    So, they use it because their managers fell for it too. Thing is, the cloud providers generally DO provide a little protection against unauthorized access. Sometimes it's even fine-grained.

    So, beginner developer finds he can't access his cloud-based data and starts turning off the various protections till it starts to work. Now, he gets one with whatever development he was doing - never turning back ON the ones that weren't his problem.

    I'd be real money this is why we see so many breaches of various cloud buckets - AWS getting the most because they have the most.

    I've seen this "coding at the tube till it compiles or quits crashing" all too much - and it was highly discouraged at the outfit I ran...as in you'd better be in the habit of making a plan first, and actually understanding what each thing means before you do real work, or else.

    Lo and behold, these sorts of things just didn't happen to us. We forced people to spend time on toolmaking (BITE and automation stuff), and writing tests that would definitively show just what settings were required, what apis to use and so on - only then was production code even designed.

    Then you could give it to beginner morons with inflated CVs to just code...and be almost safe.

  8. anothercynic Silver badge

    Ahhh... let's shoot the messenger...

    Github is not a guilty party here. Capital One on the other hand...

  9. ps2os2

    Git Hub Data Breach

    If I had data that resided outside of the enterprise, I would have secured it by encryption. Anything else is stupidity and everyone should get thrashed.

  10. GarfLloydell

    Stolen Snark

    Saw this in another thread (I think on HN), but if they're going after github they might as well also go after Cisco for supplying the routers which negligently and shamefully failed to filter out the terrible awful no good packets which contained the personal information at question.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019