Thursday, May 18, 2017

Update on Canada's current bank source code breach

Yesterday I wrote about a large breach of source code from one of the "Big 6" banks in Canada.  I'm still compiling details on it, which will be forwarded to a few separate authorities, but thought I'd share some new details regarding it's scale.

Two things I can say about this particular source code breach:
  • It is not Scotiabank this time. 
  • It's ongoing, and there's evidence it has been breaching for a number of years.

The server location with the leak is now known, and the vectors where you can reproduce it have been documented. The cause of the leak is also now known (inadequate technical chops combined with relaxed security testing), too. 

The problem has turned out to be bigger than originally thought, because when you factor in this bank has multiple bank brands under the umbrella of the main bank, there's actually multiple bank brands breaching multiple versions of the source code for multiple systems.  

The problem gets worse again when you realise there's more than just the retail and business banking operations affected.

It's a world-class hole.

I'm still assembling instructions for the authorities and the other affected sub-banks, and just need to finish up documenting everything in my head that I'm not going to test.  This is necessary because I can point external investigators and privacy officers to further systems that I can reasonably infer will also be broken given what can already be proven, without going there myself to prove it.  I personally don't want gigabytes of financial software cluttering up the place.

So, that's the current update.