Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Indian outsourcing firm Tata leaks sensitive financial data from several banks

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

June 12, 2017

Based in India, the employees at the IT outsourcing firm Tata accidently uploaded a huge trove of sensitive financial institutions' source code and internal documents to a public GitHub repository.

As unbelievable as it sounds, Jason Coulls, CTO of internet security testing company Tellspec and a former banking software developer, said he stumbled upon the collection of sensitive files after they were inadvertently leaked by a Tata developer in Kolkata, India.

In the archive, he found development notes, raw source code, internal reports on web banking code development plans, and several records of telephone calls with outsourcing partners.

The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company.

The data is a big fluke for competing organizations developing similar features, as well as cyber criminals who could exploit any weaknesses in the designs to potentially steal millions of dollars.

"The good news is that none of it was banking customers' data, it was mainly auxiliary data," Coulls said late last week.

"But there was still a lot of useful data in the trove, not just for hackers but for the firm's rivals. The first bank that gets in to look at it gets to see what everyone else is doing. There was a monumental common sense failure."

When alerted to the security leak, you'd expect the affected businesses to react quickly, however that was not the case, according to Coulls, a British native now based in Toronto. He asserted he was rebuffed or ignored when he went to the Canadian banks with the news.

By contrast, the American financial institutions were extremely receptive and responded immediately. The offending archive was taken down in short order from GitHub. Tata did not respond to requests for comment.

The names of the affected clients have been withheld for security reasons. Coulls said that his experience with the intransigence of Canadian banks is no surprise-– he has been on their backs about lax security for years and has seen little improvement.

"There is a huge cultural difference between Canada and the United States," he explained. "Canadians don't want to pay for security and I don't work for free. But in the U.S., I've had companies put someone on a plane on the same day for a meeting in Toronto and they discussed the security issue with me the same day."

Coulls, who authored a takedown on Canadian banking software entitled "Not my monkeys, not my circus!", said his research has revealed that nine out of 25 Canadian Schedule I banks are vulnerable to phishing attacks and other forms of cyber security problems.

One bank's app "vomits out huge chunks of data, more than 40 MB pushed out to the browser with each transaction," he said.

Very few mobile banking apps make the effort to safeguard their communications either, he said. Canadian firm Scotiabank is a particular target of Coulls' ire. The bank's app doesn't always use HTTPS for connections, dropping to HTTP.

"Right now there are at least a million people walking around with insecure banking apps and it's only a matter of time before there's a massive security breach by the bad guys," he said. "It's not a happy situation, and one that needs to be addressed ASAP."

Source: Tellspec Inc.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer