A severe incident has been confirmed by IT system audit specialists. Scotiabank has mistakenly leaked some of its internal source code as well as confidential login credentials for its back-end systems.
The bank’s security teams have spent the last twelve hours deleting repositories on GitHub that stored sensitive information, which were available to any user for its access. The exposed information includes software blueprints, access keys to exchange rate systems, bank mobile app codes, and database login credentials.
IT system audit specialist Jason Coulls was in charge of spreading the word about the exposed information, stating that some of the repositories had been leaking information for months. The expert notified Scotiabank and GitHub, in addition to alerting payment card processing companies and The Register platform: “Repositories contain a SQL Server database with currency exchange rates, exposing this system to modification, compromising the integrity of the bank,” he said. Most likely, the repositories have already been fully secured or deleted by now.
The exposed repositories also stored the source code for integrating the Scotiabank systems into payment services such as Samsung and Google Pay, as well as some credit card companies, such as Visa and Mastercard.
In this regard, a spokesman for Scotiabank says that the company is already investigating possible causes of the incident, although at the moment it is not possible to share additional details.
In the event that any threat actors could have accessed the content of these repositories, both Scotiabank systems and its more than 25 million customers could be exposed to a wide variety of cyberattacks.
This is not the first time IT system audit experts have discovered Scotiabank security flaws; a couple of years ago it was discovered that the bank’s digital unit used a code that no one had analyzed or audited, and used expired security certificates. “This is a basic security flaw, but I’m not surprised, as I find leaks of Scotiabank information too often,” Coulls says.
International Institute of Cyber Security (IICS) IT system audit specialists support the Coulls version, stating that the bank’s IT teams leak information and code snippets all the time, from mobile apps to server-side implementations, including customer data.