Scotiabank says no risk to customers after bank's software found on coding website
IT consultant says he saw software code that could have allowed access to network
A Canadian IT consultant is raising the alarm after he says he found some sensitive software code belonging to Scotiabank on a popular online file-sharing repository.
Jason Coulls says he found source codes and access keys for some of the bank's internal systems while searching on GitHub, a popular online tool for software programmers that allows them to share information and collaborate on projects.
The discovery was first reported by British technology website The Register and has since been picked up by various cybersecurity-related publications.
Coulls told CBC News on Friday that he made no attempt to access any of the bank's information once he uncovered the code, but he said it looked as if some of the code he found was used to analyze various payment processing systems.
"In order to do that it has to access the customer transaction data," he said, which means some information such as customer names, account numbers and other identifying information could be accessed.
"Basically the things they ask for to then do a scam," he said. "That's not good to have that kind of information out there."
Coulls says the bank has removed most of the files since he brought it to light, but nonetheless information that clearly should not have been public was available in plain sight for months to anyone who knew where to look.
Coulls says he has no idea if the information was used for nefarious purposes — or indeed if the data was old code that no longer would provide access to the bank's network — but he stresses that's it's a problem either way. To show why, he says what the bank has done is akin to leaving a key to a house hidden on a front porch.
"When they leave the keys out, you can see the keys and you can see the lock, but nobody will know 100 per cent if the key actually works or not," or indeed if anyone entered the house, he said in an interview. "Whether somebody did go in or not we would never know and whether the key would fit the lock also we would not know."
In a statement to CBC News, the bank said its technical teams were "working to remove the information" from the web, but stressed that the data on the bank's 25 million customers is secure.
"The information that was posted on an online data repository does not contain information that would put our customers, employees and partners at risk," the bank said.