Indian outsourcing firm Tata leaks sensitive financial data from several banks
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
June 12, 2017
Based in India, the employees at the IT outsourcing firm Tata accidently uploaded a huge trove of sensitive financial institutions' source code and internal documents to a public GitHub repository.
As unbelievable as it sounds, Jason Coulls, CTO of internet security testing company Tellspec and a former banking software developer, said he stumbled upon the collection of sensitive files after they were inadvertently leaked by a Tata developer in Kolkata, India.
In the archive, he found development notes, raw source code, internal reports on web banking code development plans, and several records of telephone calls with outsourcing partners.
The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company.
The data is a big fluke for competing organizations developing similar features, as well as cyber criminals who could exploit any weaknesses in the designs to potentially steal millions of dollars.
"The good news is that none of it was banking customers' data, it was mainly auxiliary data," Coulls said late last week.
"But there was still a lot of useful data in the trove, not just for hackers but for the firm's rivals. The first bank that gets in to look at it gets to see what everyone else is doing. There was a monumental common sense failure."
When alerted to the security leak, you'd expect the affected businesses to react quickly, however that was not the case, according to Coulls, a British native now based in Toronto. He asserted he was rebuffed or ignored when he went to the Canadian banks with the news.
By contrast, the American financial institutions were extremely receptive and responded immediately. The offending archive was taken down in short order from GitHub. Tata did not respond to requests for comment.
The names of the affected clients have been withheld for security reasons. Coulls said that his experience with the intransigence of Canadian banks is no surprise-– he has been on their backs about lax security for years and has seen little improvement.
"There is a huge cultural difference between Canada and the United States," he explained. "Canadians don't want to pay for security and I don't work for free. But in the U.S., I've had companies put someone on a plane on the same day for a meeting in Toronto and they discussed the security issue with me the same day."
Coulls, who authored a takedown on Canadian banking software entitled "Not my monkeys, not my circus!", said his research has revealed that nine out of 25 Canadian Schedule I banks are vulnerable to phishing attacks and other forms of cyber security problems.
One bank's app "vomits out huge chunks of data, more than 40 MB pushed out to the browser with each transaction," he said.
Very few mobile banking apps make the effort to safeguard their communications either, he said. Canadian firm Scotiabank is a particular target of Coulls' ire. The bank's app doesn't always use HTTPS for connections, dropping to HTTP.
"Right now there are at least a million people walking around with insecure banking apps and it's only a matter of time before there's a massive security breach by the bad guys," he said. "It's not a happy situation, and one that needs to be addressed ASAP."
Source: Tellspec Inc.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.