Sensitive Data Including Source Code and Credentials Belonging to Scotiabank Exposed via Github Repositories

• Scotiabank’s source code and other sensitive data such as credentials were found on publicly available GitHub repositories.
• The Canadian bank has taken down the repositories after being alerted by The Register.

The backdrop

Jason Coulls, an IT pro, discovered the data belonging to Scotiabank on GitHub. Some of the data were believed to be exposed for months.

• The repositories contained hundreds of files of documentation and code. Some of these appeared to be for mobile apps for Central and South American users.
• They were found to contain access keys for a foreign exchange system, login credentials for services, keys to access the bank’s backend systems and services in different parts of the world, and software blueprints among others.
• Source code for integrating the bank’s systems with payment services was also observed to be in the repositories.

“They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months. Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly,” said Coulls.

What did Scotiabank do?

The Register alerted Scotiabank about the open repositories. Following this, the repositories that appear to be misconfigured, were taken down by the financial institution.

“The information we identified that was posted on an online data repository does not contain information that would put our customers, employees and partners at risk. Our technical teams are working to remove the information,” said the bank.

Worth noting

The leaked code, if in the wrong hands, could have put Scotiabank and its millions of customers under risk, say experts.

Coulls tweeted that out of the 6 big banks in Canada, he has heard from half. “All were shaking heads. One (unnamed) was panicked and performed a emergency cleanup of all one (1!) found repository,” reads the tweet.