Minutes later, Mailchimp alerts us that our keys have been published publicly on Github, and we find a copy of all our propietary code just published on someone's account.
We know this person is from a big consulting firm in india (aprox. 250 developers).
We immediately informed the manager of the firm and minutes later the repo was deleted, but haven't had an opportunity to talk more to them (it's too late in India now).
What would you do in this situation?
I know that what they did is illegal (sharing propietary code from a private repository to the world). Is there any real way to compensate for what they did, or should I just assume they can do this without repercussion with every client they have? Things that come to mind:
- Reporting their github accounts
- Report their contractor accounts in different websites (UpWork etc)
In general you got it removed quickly, which is critical and really awesome. I'd push the company in India to refund some of your fees (or not bill for anything outstanding) and affirm that they are dealing with the situation and have them guarantee (in writing) that this will not reoccur and that all code has been removed from their and their employees equipment. Reputable India contracting firms do not want the bad look either so they generally will deal with it quickly and make sure it doesn't happen again.
Personally, I'd be really cautious on going super public and shaming them at this point because you have to understand that your chances of recourse with an India based company and individual are nearly zero. Creating a lot of noise posting their names and stuff could cause them to retaliate and put the code up for good in many places not just GitHub. GitHub you'd have a good chance of a DMCA type takedown since it is your property, but they'll just post it in 30 other places that won't recognize such requests.
You also have to understand the courts in India are SLOW and won't favor a western company over one of their companies/citizens, with a few exceptions. If you were a large corp, e.g. GE, Fiserv, Microsoft etc then things are different -- plus most of those have in Country subsidiaries to try and control IP etc. If you took them to court in the US (based on how your contract is setup) the US courts may rule in your favor but they have no way to enforce a ruling against them overseas, so great you get a judgement but your code is still published.
If they publish again to GitHub, absolutely send a takedown request and document the details. Otherwise, my 2 cents is to just move on and be thankful you got it down quickly.
You get what you paying.
Quite often indian "consultant" is a middleman (or few) doing nothing but frontending the cheapest guy in town to do something just enough to not getting fired.
Chasing them or thrashing them is unproductive. You're not be seeing a dime.
They'll change their name by lunch time and will screw the next sucker.
Let them show you that they are a respectable company. They don't want you bad mouthing them. If they don't play ball, then you can take out a stick and see how far it will get you, but I'd start by asking them what other actions they've taken to ensure the security of your IP, etc etc. Act as if you've assumed they've done it and if they haven't, then you can have an open discussion about what you think should happen.
You can take it as an opportunity to also help them make sure something similar doesn't happen to future customers. You don't want them out of business, just this contract didn't work out.