A severe incident has been confirmed by IT system audit specialists. Scotiabank has mistakenly leaked some of its internal source code as well as confidential login credentials for its back-end systems.
The bank’s security teams have spent the last
twelve hours deleting repositories on GitHub
that stored sensitive information, which were available to any user for its
access. The exposed information includes software blueprints, access keys to
exchange rate systems, bank mobile app codes, and database login credentials.
IT system audit specialist Jason Coulls was in charge of spreading the word about the exposed information, stating that some of the repositories had been leaking information for months. The expert notified Scotiabank and GitHub, in addition to alerting payment card processing companies and The Register platform: “Repositories contain a SQL Server database with currency exchange rates, exposing this system to modification, compromising the integrity of the bank,” he said. Most likely, the repositories have already been fully secured or deleted by now.
The exposed repositories also stored the source
code for integrating the Scotiabank systems into payment services such as
Samsung and Google Pay, as well as some credit card companies, such as Visa and
Mastercard.
In this regard, a spokesman for Scotiabank says
that the company is already investigating possible causes of the incident,
although at the moment it is not possible to share additional details.
In the event that any threat actors could have
accessed the content of these repositories, both Scotiabank systems and its
more than 25 million customers could be exposed to a wide variety of cyberattacks.
This is not the first time IT system audit
experts have discovered Scotiabank security flaws; a couple of years ago it was
discovered that the bank’s digital unit used a code that no one had analyzed or
audited, and used expired security certificates. “This is a basic security
flaw, but I’m not surprised, as I find leaks of Scotiabank information too
often,” Coulls says.
International Institute of Cyber Security
(IICS) IT system audit specialists support the Coulls version, stating that the
bank’s IT teams leak information and code snippets all the time, from mobile
apps to server-side implementations, including customer data.
