Scotiabank’s ‘Muppet-grade Security’ And Tortoiseshell Infecting IT Providers To Hit Their Customers

By   ISBuzz Team
Writer , Information Security Buzz | Sep 19, 2019 03:07 am PST

Canadian financial giant, Scotiabank, has torn down GitHub repositories, which were inadvertently left open to the public and contained sensitive internal source code information, as well as some private login keys to backend systems.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Anurag Kahol
Anurag Kahol , CTO
September 19, 2019 11:11 am

Unfortunately, seeing a report about an unsecured database is no longer an unusual event. The number one responsibility of all organisations is to defend their data. Leaving personal and sensitive information unprotected is not only careless – it’s irresponsible. Misconfigurations like this have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like this one. However, even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed.

To ensure data is always safe, companies should look for security platforms that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.

Last edited 4 years ago by Anurag Kahol
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
September 19, 2019 11:08 am

Public code repositories, various code and data sharing projects can greatly facilitate DevSecOps and accelerate agile software development. However, they likewise bring a wide spectrum of critical business risks of inadvertent or careless data leaks exacerbated by third-party developers with insufficient security training. Some developers recklessly share passwords from production systems on Pastebin thereby opening doors to their digital realms without thinking about the consequences.

Cybercriminals are well aware of the situation and are continuously crawling publicly accessible data sources to get sensitive source code, hard-coded credentials and API keys. Worst, they often succeed and their intrusions frequently remain undetected as virtually no abnormal activities happens.

Large companies need to thoughtfully design a secure software development policy, and properly enforce and monitor it. Regular security training for developers should be an essential part of the policy. Special attention must be given when developers are outsourced to third-parties unfamiliar with security procedures and best practices.

Last edited 4 years ago by Ilia Kolochenko

Recent Posts

Would love your thoughts, please comment.x