Jason Coulls, an IT pro, discovered the data belonging to Scotiabank on GitHub. Some of the data were believed to be exposed for months.
“They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months. Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly,” said Coulls.
What did Scotiabank do?
The Register alerted Scotiabank about the open repositories. Following this, the repositories that appear to be misconfigured, were taken down by the financial institution.
“The information we identified that was posted on an online data repository does not contain information that would put our customers, employees and partners at risk. Our technical teams are working to remove the information,” said the bank.
The leaked code, if in the wrong hands, could have put Scotiabank and its millions of customers under risk, say experts.
Coulls tweeted that out of the 6 big banks in Canada, he has heard from half. “All were shaking heads. One (unnamed) was panicked and performed a emergency cleanup of all one (1!) found repository,” reads the tweet.