Staff at Indian outsourcing biz Tata Consultancy Service uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed.
Jason Coulls, CTO of food safety testing company Tellspec and a former banking software developer, said he stumbled upon the collection of sensitive files after they were inadvertently leaked by a Tata developer in Kolkata, India. In the archive he found development notes, raw source, internal reports on web banking code development plans, and records of telephone calls with outsourcing partners.
The documents related to programming work Tata was carrying out for six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company. The data is a boon for rival organizations developing similar features, as well as criminals who could exploit any weaknesses in the designs to potentially steal millions.
"The good news is that none of it was banking customers' data, it was mainly auxiliary data," Coulls told The Register late last week.
"But there was still a lot of useful stuff there – not just for hackers but for the firm's competitors. The first bank that gets in to look at it gets to see what everyone else is doing. There was a monumental common sense failure."
More than enough information to cause serious mischief ... A screenshot of some of the leaked data, redacted for security reasons
When alerted to the leak, you'd expect the affected businesses to react quickly, however that was not the case, according to our man. Coulls, a Brit now based in Toronto, Canada, said he was rebuffed or ignored when he went to the Canadian banks.
By contrast, the American financial institutions were very receptive, we're told, and responded immediately. The offending archive was taken down in short order from GitHub. Tata did not respond to requests from The Register for comment. The names of the affected clients have been withheld, for now, for security reasons.
What's up with Canada, eh?
Coulls told The Reg that his experience with the intransigence of Canadian banks is no surprise – he has been on their backs about lax security for years and has seen little improvement.
"There is a massive cultural difference between Canada and the US," he explained. "Canadians don't want to pay for security info and I don't work for free. But in the US I've had companies put someone on a plane on the same day for a meet-up in Toronto and they were buying me Guinness and discussing the issue with me that night."
Coulls, who authored a takedown on Canadian banking software entitled "Not my monkeys, not my circus!", said his research has shown nine out of 25 Canadian Schedule I banks are vulnerable to phishing attacks.
One bank's app "vomits out huge chunks of data – 40MB pushed out to the browser with each transaction," he said. Very few mobile banking apps make the effort to safeguard their communications either, he said.
Canuck commercial finance house bank Scotiabank is a particular target of Coulls' ire. The bank's app doesn't always use HTTPS for connections, dropping to HTTP, we're told.
"Right now there are at least a million people walking around with insecure banking apps and it's only a matter of time before there's a massive issue," he said. "It's not a happy situation; I laugh about it because if you don't you'd cry." ®