Capital One and GitHub have been hit with a class-action lawsuit over the recent data breach that resulted in the data of over 100 million Capital One customers and credit card applicants being exposed.

The law firm Tycko & Zavareei LLP filed the lawsuit on Thursday, arguing that GitHub and Capital One demonstrated negligence in their response to the breach.

The firm filed the class-action complaint on behalf of those impacted by the breach, alleging that both companies failed to protect customer data.

Personal information for tens of millions of customers was exposed after a firewall misconfiguration in an Amazon cloud storage service used by Capital One was exploited.

ADVERTISEMENT

The breach exposed around 140,000 Social Security numbers and 80,000 bank account numbers, along with the credit card applications of millions in both the U.S. and Canada.

The individual who allegedly perpetrated the data breach, Seattle-based software engineer Paige Thompson, was arrested earlier this week.

Thompson, a former Amazon employee, allegedly accessed the data in March and posted about her theft of the information on GitHub in April, according to the complaint. Another GitHub user notified Capital One, which subsequently notified the FBI.

“As a result of GitHub’s failure to monitor, remove, or otherwise recognize and act upon obviously-hacked data that was displayed, disclosed, and used on or by GitHub and its website, the Personal Information sat on GitHub.com for nearly three months,” the law firm alleged in its complaint against GitHub and Capital One.

The firm also alleged that computer logs “demonstrate that Capital One knew or should have known” about the data breach when it occurred in March, and criticized Capital One for not taking action to respond to the breach until last month.

A spokesperson for GitHub pushed back against the lawsuit in a statement to The Hill, saying that "GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service."

The spokesperson added that "the file posted to GitHub did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving the request."

The lawsuit comes days after New York Attorney General Letitia James announced that her office is opening an investigation into the breach, and on the heels of another lawsuit being filed by a Connecticut resident in connection to the breach on behalf of all those impacted.

Republican leaders of the House Oversight and Reform Committee are also demanding answers from Capital One and Amazon about the breach, and the Senate Banking Committee is likely to look into the incident once Congress returns from the August recess.