DRM Screws People Yet Again: Book DRM Data Breach Exposes Reporters' Emails And Passwords

from the was-that-really-worth-it? dept

I have a few different services that report to me if my email is found in various data breaches, and recently I was notified that multiple email addresses of mine showed up in a leak of the service NetGalley. NetGalley, if you don't know, is a DRM service for books, that is regularly used by authors and publishers to send out "advance reader" copies (known around the publishing industry as "galleys.") The service has always been ridiculously pointless and silly. It's a complete overreaction to the "risk" of digital copies of a book getting loose -- especially from the people who are being sent advance reader copies (generally journalists or industry professionals). I can't recall ever actually creating an account on the service (and can't find any emails indicating that I had -- but apparently I must have). However, in searching through old emails, I do see that various publishers would send me advance copies via NetGalley -- though I don't think I ever read any through the service (the one time I can see that I wanted to read such a book, after getting sent a NetGalley link, I told the author that it was too much trouble and they sent me a PDF instead, telling me not to tell the publisher who insisted on using NetGalley).

It appears that NetGalley announced the data breach back in December on Christmas Eve, meaning it's likely that lots of people missed it. Also, even though I'm told through this monitoring service that my email was included, NetGalley never notified me that my information was included in the breach. NetGalley did say that the breach included both login names and passwords -- suggesting that they didn't even know to hash their passwords, which is just extremely incompetent in this day and age.

So, from my side of things, this means that the company put me and my information at risk for what benefit? To make my life as a potential reviewer of a book more difficult and annoying, and limiting my ability to easily read a book? DRM benefits literally no one. And in this case, has now created an even bigger mess in leaking my emails and whatever passwords I used for their service (thankfully, I don't reuse passwords, or it could have been an even bigger problem). For those who say that the DRM is still necessary to avoid piracy, that's ridiculous as well. If the book is going to get copied and leaked online, it's going to get copied and leaked online. And once one copy is out, all the DRM in the world is meaningless.

Rather than focusing so much on locking stuff up and making it impossible to read, while putting people's personal info at risk, just stop freaking out, recognize that most people are not out to get you by putting your stuff on file sharing sites, and focus on getting people to want to buy your books, rather than putting their data and privacy at risk.

Filed Under: advance reader copies, data breach, drm, emails, galleys, hacked, passwords
Companies: netgalley

Malware Merchant NSO Group Caught Leaving Harvested Location Data Exposed

from the oh-well-'little-people'-aren't-the-end-users-so-who-cares dept

Israeli surveillance tech firm NSO Group is something else. (Pejorative, yo.) It set up shop in a contested country where it's not all that paranoid to say everyone is out to get them. (But it's still a little paranoid, if not a lot racist.) That being said, Israel doesn't have a lot of nearby allies. And its ongoing conflict with Palestine hasn't made it any new friends.

You'd think a government contractor operating out of this space would be more judicious with its sales efforts. But finding new customers seems to be more important to NSO Group than defending its own country against attacks. NSO has sold its pervasive surveillance products -- ones that leverage popular messaging apps to create spy-holes in end-to-end encryption -- to anyone who wants them, including those that would turn these tools against Israeli citizens, journalists, and activists.

NSO has enabled a global war on dissent and criticism. It's not the only company that takes a hands-off approach to sales -- justifying the money in its pocket with claims it's nothing more than an exploit-hawking middleman. This has earned it some justifiable disdain. It has also earned it lawsuits, including one filed by a company too big to ignore: Facebook.

Multiple governments have purchased exploits from NSO, resulting in a worldwide war on journalists and activists. This makes NSO richer. But it doesn't make the company any smarter. NSO and Israel briefly joined forces to engage in domestic surveillance, utilizing NSO's malware to facilitate COVID contact tracing -- an effort swiftly blocked by an Israeli court.

NSO hasn't slowed down its surveillance efforts -- the ones deployed by its customers. But it has again managed to generate unfavorable headlines and coverage. The company, whose offers of contact tracing were rejected by an Israeli court, hasn't dialed back its efforts to place people under surveillance -- supposedly for the public good.

But its exploits have their own security flaws. While it was trying to sell governments its contract tracing goods, it failed to secure some of the data it had been gathering in hopes of vertically integrating its spy tech and its "concern" for the general population's health. Zack Whittaker reports for TechCrunch:

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.”

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier.

NSO has responded to the hole it didn't close until notified by TechCrunch -- months after the first notification by the security researcher. It says the data seen in the breach isn't "real and genuine data."

Well, we'll see if that's true. At this point, this appears to be bullshit. As Whittaker notes, NSO's statement conflicts with news reports about NSO's use of location data sold to it by third-party brokers who gather location info from phone apps. NSO used this data to "train" its contact tracing AI. It's still "real and genuine data," even if NSO wasn't (yet!) using it in real-word applications.

TechCrunch asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses, to investigate. The researchers published their findings on Wednesday, concluding that the exposed data was likely based on real phone location data.

Whatever the real-world applications by NSO, the fact is NSO utilized data of thousands of individuals from multiple countries (Rwanda, Israel, Saudi Arabia, UAE, Bahrain) to train an AI it was pitching to world governments -- a pitch that likely did not inform potential end users NSO would be buying data in bulk from brokers who are generally unconcerned about local data privacy laws.

NSO may be trying to rehabilitate its image by offering its considerable surveillance power to the fight against COVID, but its efforts show it's really still just in the business of collecting everything it can while expanding its user base to whoever's willing to buy -- even if it includes foreign enemies.

A failure to secure a database -- even if it's only filled with "trial" data -- is a monumental self-own. This indicates NSO isn't nearly as careful as it should be, considering the wealth of data/communications it helps government agencies siphon from targets' devices. When millions of people around the world are just grist for the surveillance mill, it rarely seems imperative to protect the data you've harvested from them. The only thing that matters to NSO is surveillance and the profit made. Collateral damage doesn't affect its bottom line -- not when there's a host of human rights violators lining up to buy your goods.

Filed Under: data breach, exploits, hacking, location data, security, surveillance
Companies: nso group

DNA Company Accidentally Exposes Opted Out Users' Data To Law Enforcement

from the apparently-the-software-does-not-approve-of-your-decision dept

A couple of years ago, investigators in California used a DNA matching service to track down the so-called "Golden State Killer." Uploading a sample of the suspected serial murder's DNA, they were able to identify distant relatives of the suspect. Using these sentient clues, investigators eventually worked their way back to the suspected killer, who had eluded authorities for years.

Shortly after this made news, GEDmatch informed users that law enforcement had never approached the company directly to acquire this information. Instead, investigators created an account and uploaded samples, bypassing anything GEDmatch might have had in place to limit use by government agencies. GEDmatch said the only way customers could ensure their DNA info wouldn't be obtained by law enforcement was to not use the service at all.

A month later, it went a step further. It opted all users out of allowing law enforcement to access their DNA data. Users were allowed to opt in if they were comfortable with the government digging through their information. This somewhat solved the problem. But law enforcement has been known to create faux profiles to search DNA data, so opting out isn't guaranteed to stop cops from accessing this info.

Unfortunately, something recently went very wrong with GEDmatch's database.

[U]sers reported Sunday that those settings had changed without their permission, and that their DNA profiles were made available to law enforcement searches.

Users called it a “privacy breach.” But when reached, the company’s owner declined to say if the issue was caused by an error or a security breach, citing an ongoing investigation.

This incident/error opted everyone in to law enforcement access. The company still isn't sure what happened. The statement issued by the CEO says the problem is "resolved" but the company has taken the site offline until it can determine what actually happened.

The site is still down as of the time of writing (July 20th). GEDmatch hasn't offered any further statement on the matter, either. It also has refused to say whether any law enforcement requests to the service were received or responded to while everyone was temporarily opted in.

The larger problem remains, however. GEDmatch's default is opt out, which is best for its users. But it's unclear whether GEDmatch polices its service for bogus accounts possibly be used by… well, police. GEDmatch only requires an email address for registration. It says you must link a "real name" to uploaded DNA data but nothing in its terms of service indicates this name must be verified before the site can be searched for matches. This means opting out is only as good as the law enforcement agencies using the service. If they can't be trusted then GEDmatch probably can't be trusted either.

Filed Under: data, data breach, dna, law enforcement, privacy, surveillance
Companies: gedmatch

Hacks Are Always Worse Than Reported: Nintendo's Breached Accounts Magically Double

from the whoopsie dept

One of these days, we writers at Techdirt will put our collective and enormous heads together, and come up with an actual proposed mathematical formula that should be applied whenever a company first announces a security or account breach, so that the public can calculate what that breach count will eventually end up being. The reason the world needs such a formula is because you can pretty much set your watch when a company announces such a breach that in the following weeks or months it will grow significantly. This happened with Equifax, with TJX, and even with our own vaunted federal government. But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo's email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them.

This severity progression is so routine that it should have a name for easy reference. I propose Geigner's Effect. I heard somewhere that if you write for this site long enough you get an effect named after you.

The most recent example of, ahem, Geigner's Effect (actually first proposed on this site by Mike Masnick, but he already has an Effect) is Nintendo, which near the start of the year announced that roughly 160k of its Nintendo Accounts had potentially been breached. In an update this week, Nintendo revised that number to nearly double the original amount.

Today, Nintendo announced another 140,000 or so more accounts may have been accessed. That means a total of around 300,000 accounts may have been breached. Nintendo pointed out in an update today that that’s less than one percent of all Nintendo Network ID users.

While that's true, it's also 200% of the amount that Nintendo originally said had been breached. And who knows what that number is going to be in another couple of weeks or months? It could stay the same, or it could be more Yahoo-esque and balloon significantly. Remember again, Yahoo revised its breach numbers on a nearly annual basis until it finally settled on "all the accounts." The public has no reason to trust companies on these numbers and every reason to dismiss the casual trotting out of seemingly comforting math by some PR goon.

So, we reiterate: when you see a report of a breach, know that it's always more severe than first reported. Until we have our formula ready for prime time, that's the best you can do.

Filed Under: breach, data breach, geigner's effect
Companies: nintendo

Stalkerware Developer Found Leaking Sensitive Data From Thousands Of The Software's Victims

from the it-all-starts-with-not-giving-a-fuck-about-anyone dept

Oh, if only this were more of a surprise. Another vendor selling sketchy spyware has been discovered to be careless with its handling of all the sensitive communications and data it pulls from victims' cell phones. (via Databreaches.net)

The company doing all the leaking is ClevGuard, which I guess is short for "clever." It apparently isn't. Its phone-snooping app, KidsGuard, is supposed to allow parents to monitor their children's cell phone usage. Obviously, there are other applications for it, like monitoring the activity of spouses, ex-spouses, girlfriends/boyfriends of the current and ex- variety, employees, dissidents, journalists… just about anyone someone else wants to spy on.

The name isn't deliberately misleading but the app disguises itself as a system update app, allowing it to hide in plain sight, untroubled by surveillance targets. The company even advertises the app's flexibility as going beyond monitoring kids to spying on other adults.

Zach Whittaker has the details on the leaky app for TechCrunch:

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.

The app -- in its full paid form -- is pervasive. In addition to hoovering up contacts, photos, SMS message content, and location data, it provides a wealth of information about conversations occurring in WhatsApp, Viber, and Facebook Messenger. It also compromises more secure services like Snapchat and Signal by taking snapshots of conversations and relaying them to the company's servers.

The company has since shut down access to the leaky Alibaba cloud storage bucket, but the damage may already have been done. And it's just more evidence that companies selling malicious stalkerware care very little about the security of their customers… and even less about the security of their software's victims.

Filed Under: data breach, kidsguard, parents, snooping
Companies: clevguard

China's To Blame For The Equifax Hack. But It Shouldn't Let Equifax, Or US Regulators, Off The Hook.

from the plenty-of-blame-to-go-around dept

The Department of Justice this morning formally announced that it has identified the Chinese government as the culprit behind the historic Equifax hack. If you've forgotten, the 2017 hack involved hackers making off with the personal financial data of more than 147 million Americans. Those victims were then forced to stumble through an embarrassing FTC settlement that promised them all manner of financial compensation that mysteriously evaporated once they went to collect it.

According to the FTC's press release and the indictment (pdf), the four Chinese government employees responsible for the hack were all members of the People’s Liberation Army's 54th Research Institute, an extension of the Chinese military. The four exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to first gain access to Equifax's systems, then ran more than 9,000 queries before managing to offload both consumer financial data and "proprietary Equifax info" (mostly related to databases) to a Dutch server.

In a statement, Equifax was happy to see the onus shifted entirely onto the backs of the Chinese:

"Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand."

That rhetoric was mirrored in the DOJ's announcement and Bill Barr's speech, which repeatedly framed the entire Equifax saga as largely a victory for U.S. national security:

"The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office. This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning."

Except there are a few things both Equifax and Bill Barr forget to mention. One, the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it. Two, that this data wouldn't be available to steal if companies like Equifax hadn't made an industry out of collecting this sort of data -- without consumer consent and with no way for consumers to opt out -- in the process creating such a delicious target. A target they then failed to adequately secure and protect.

So yes, while it's certainly great we've identified the hackers (who'll never see the inside of a jail cell), this entire mess could have been avoided.

A few lawmakers, like Senator Mark Warner, were quick to applaud the investigation while highlighting how it shouldn't distract from Equifax's failures:

"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner said in a statement provided to Motherboard. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure."

Another thing neither Equifax or Bill Barr likely want to highlight is that the penalty for Equifax -- and the FTC settlement for consumers -- was little more than a cruel joke. While the $575 million FTC settlement was bandied about for being a "record" deal, like most hack/breaches, the final penalty was a far cry from the money made from collecting and selling access to this data for decades. And the consumer "compensation" aspect of the deal involved both useless "free" credit reporting software and $125 cash payouts that mysteriously disappeared when victims went to collect them, adding insult to injury.

A lack of any meaningful US privacy law for the internet era means there's repeatedly no real punishment for companies that fail to secure the vast troves of data they're now collecting on your every waking moment. Nor is there any real compensation for consumers who may not have wanted this data collected, stored, and sold to every nitwit with a nickel. There are so many points of failure here -- from corporations that treat privacy and security as an afterthought to captured regulators too feckless to do anything about it -- that focusing too extensively on national security risks us learning absolutely nothing from the experience.

Filed Under: china, cybersecurity, data breach, doj, security, william barr
Companies: equifax

Wyze Breach Leaves Data Of 2.4 Million Users Exposed Online

from the watching-you-watching-me dept

Another day, another company leaving massive troves of consumer data openly accessible to the internet.

One of the darlings of the holiday tech marketing season was Wyze Labs, which provides significantly cheaper ($20) in home internet-enabled cameras compared to competitors like Ring. While both Wirecutter and CNN put Wyze's cheap camera on their holiday must buy shopping lists, the company's customers got more than they bargained for under the tree this Christmas.

The folks at Twelve Security discovered that camera information, Wi-Fi network details, email addresses, Alexa tokens, and even biometric data of 2.4 million customers was inadvertently left available to the open internet from December 6 to December 27. Security researcher "Ghost" stated he'd "never encountered a breach of this magnitude," and noted that a significant, major breach had already impacted the same company about six months ago. A second post by the firm notes how the cameras are largely just rebranded Xiaomi cameras from China, funneling much of this collected data back to Alibaba cloud servers.

Wyze, which sells the cameras largely through its relationship with Amazon, told the New York Times that an "employee error" was to thank for the massive breach:

"The first Wyze breach occurred after an employee created a flexible database to quickly pull user analytics, such as camera connectivity rates, user growth and the number of devices connected per user, Mr. Crosby said.

That employee removed the security protocols on the new database, exposing customers’ personal information. Customers’ passwords were not saved on the breached database, so hackers could not access live camera feeds, said Dongsheng Song, a co-founder at Wyze."

Yeah, whoops. Prompted by the data leak, the company began a complete head to toe security audit (why this hadn't already been done isn't clear) and found another, second breach on December 27 -- the details of which haven't yet been made public and continues to be investigated by the company. On the plus side, the company at least acknowledged the need to do better, which doesn't always happen:

"“We didn’t properly communicate and enforce our security protocols to new employees,” Mr. Song said. “We should have built controls, or a more robust tool and process to make sure security protocols are followed,” he added. Wyze executives said that the employee who made the mistake is still employed at the company. “It was an accident,” Mr. Crosby said. “We are very, very sorry and taking it very seriously."

Most IOT vendors don't prioritize privacy or security because it erodes revenues. The consumers who buy these products only care about cheap tech. And government regulators remain uninterested in seriously penalizing companies that fail to secure their systems. As such, the breach highlights why in this vacuum there's such a growing push to begin including security and privacy warnings in user hardware reviews so consumers are at least fleetingly aware of the companies they're getting into bed with.

But it also again highlights how dumb tech (like say, a dog) often remains the smarter option.

Filed Under: data breach, iot, security
Companies: wyze

Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names

from the Ring-PR-team-looking-to-expand:-masochism/sociopathy-a-plus! dept

The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:

• Engage in law enforcement stings that don't sting anyone
• Teach cops how to bypass warrant requirements
• Sign up a bunch of people for its snitch app
• Use said snitch app to generate "suspicious person" alerts
• Blame users for not securing their cameras properly
• Admit the company places no restrictions on sharing of subpoenaed footage by law enforcement agencies
• Let everyone know it's collecting images of children

The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.

And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.

Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.

This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.

Filed Under: credentials, data breach, doorbells, leaks, ring, security
Companies: amazon, ring

Class Action Lawsuit Hopes To Hold GitHub Responsible For Hosting Data From Capital One Breach

from the into-the-breach dept

As soon as the Capital One breach was announced, you knew the lawsuits would follow. Handling the sensitive info of millions of people carelessly is guaranteed to net the handler a class-action lawsuit or two, but this one -- filed by law firm Tycko & Zavareeri -- adds a new twist.

The 28-page lawsuit filed Thursday in the U.S. District Court for the Northern District of California asserted that GitHub "actively encourages (at least) friendly hacking."

It notes that the hacked Capital One information was posted online for months and alleges that the company violated state law to remove the information. "GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information," the suit says

Weird legal theory, but one that could possibly to be stretched to target some of the $7.5 billion Microsoft paid to acquire GitHub. But it takes a lot of novel legal arguments to hold a third party responsible for content posted by a user, even if the content contained a ton of sensitive personal info.

The lawsuit [PDF] alleges GitHub knew about the contents of this posting since the middle of April, but did not remove it until the middle of July after being notified of its contents by another GitHub user. The theory the law firm is pushing is that GitHub was obligated to scan uploads for "sensitive info" and proactively remove third-party content. The lawsuit argues GitHub is more obligated than most because (gasp!) it encourages hacking and hackers.

GitHub knew or should have known that obviously hacked data had been posted to GitHub.com. Indeed, GitHub actively encourages (at least) friendly hacking as evidenced by, inter alia, GitHub.com’s “Awesome Hacking” page

GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information.

Further, pursuant to established industry standards, GitHub had an obligation to keep off (or to remove from) its site Social Security numbers and other Personal Information.

The "industry standards" the lawsuit references are voluntary moderation efforts engaged in by social media platforms. Certainly no platform would want to be known as the habitual host of exfiltrated credit card data, but comparing the removal of offensive or plainly illegal content to the removal of strings of numbers from a site hosting an unusually large amount of strings of numbers is quite another. The law firm feels this assertion helps its case. It probably doesn't.

Moreover, Social Security numbers are readily identifiable: they are nine digits in the XXX-XX-XXXX sequence. Individuals’ contact information such as addresses are similarly readily identifiable.

Thus, it is substantially easier to identify—and remove—such sensitive data. GitHub nonetheless chose not to.

Nine digits in a sequence. Oh, like phone numbers. And phone numbers tend to be found near addresses, especially when coders and developers are using GitHub as an offshoot of LinkedIn, posting their personal info for employers to find. Even long lists of personal info wouldn't necessarily be innately suspicious. Employers and recruiters looking for people with certain skills have probably compiled all of this freely-provided personal info for easy reference. It's not as easy to moderate content as the litigants believe.

But this belief, if backed by a judge, could add Github's money to the pool of damages. Things will get a lot more interesting once GitHub responds to unintentionally hilarious assertions like these:

GitHub knew or should have known that the Personal Information of Plaintiffs and the Class was sensitive information that is valuable to identity thieves and cyber criminals. GitHub also knew of the serious harms that could result through the wrongful disclosure of the Personal Information of Plaintiffs and the Class.

As an entity that not only allows for such sensitive information to be instantly, publicly displayed, but one that also arguably encourages it, GitHub is morally culpable, given the prominence of security breaches today, particularly in the financial industry.

Well, we'll see how "morally culpable" stands up in court, where "legally culpable" is the actual standard. GitHub will rely on Section 230 to be dismissed from this case and rightly so. The person responsible for posting sensitive data exfiltrated from Capital One is, unsurprisingly, the person who posted the sensitive data exfiltrated from Capital One. Capital One has a duty to protect the information it gathers from customers. A third party site with hosting capabilities does not and it's not nearly as easy to moderate and proactively remove content as this lawsuit says it is.

Filed Under: class action, data breach
Companies: capital one, github