In what’s being called a “monumental common sense failure”, a Kolkata-based developer working at Indian IT service giant Tata Consultancy Services (TCS) inadvertently leaked sensitive banking project data belonging to at least 10 companies on Github.
Github, an online code sharing and version control service, is primarily used by coders to share their open source projects. It functions as a professional network for developers.
The TCS employee at an unknown time published various project-related documents, including migration plans, estimates and presentations, of a number of companies. The breach put sensitive data of American, Canadian and Japanese financial institutions out in the public domain.
“Looking at the LinkedIn page of the leaker, it appears that TCS has not fired that individual yet for being such a monumental tool” — Jason Coulls
The repository was spotted by Jason Coulls, chief technology officer at Tellspec, a Canadian food analytics company, who keeps an eye on cybersecurity issues related to Canadian banks and telcos during his spare time. Coulls counted six Canadian banks, two well-known American financial organisations, a multinational Japanese bank, and a multibillion-dollar software company among those whose data was leaked.
Coulls roasted the erring employee on his blog. “Looking at the LinkedIn page of the leaker, it appears that TCS has not fired that individual yet for being such a monumental tool,” he wrote.
The Register, which reported the leak on Monday, laid out a snarky pun in a headline that called out the ‘Bungling Tata devs.’
“This was a new level of monumental head scratching activity, as you could literally fork or clone an entire repository of containing architecture details and roadmaps for some of the largest financial institutions in North America,” Coulls wrote on his blog.
“It is not customer data. I’d suspect that other banks would have been interested in seeing the plans and architectures of their competitors, though” — Coulls
FactorDaily mailed him asking about the severity of the breach, and the possibility of this data being exfiltrated.
“I don’t think anyone should lose contracts, but what I do think is that someone needs to address training and revisit protocols,” Coulls wrote in an emailed response to FactorDaily. “Obviously, if people put documents like this in a public GitHub repository, then something has failed — and that failure needs to be looked at.”
However, he ruled out the possibility of competitors and hackers gaining access to the leaked data, or it being sold on the dark web. “It is not customer data. I’d suspect that other banks would have been interested in seeing the plans and architectures of their competitors, though,” he said.
He added that Canadian banks leak data regularly, citing another example of a “common sense failure” related to the Scotiabank: the sharing of a link of a six-month-old Java code on Pastebin, which he reckons originated from one of the bank’s South American operations. He called it a failure of policy and procedure — a “people problem” that’s putting Canadians at unnecessary risk.
A TCS spokesperson acknowledged the leak, but claimed that no confidential material or documents were exposed in the incident in an emailed statement.
“The security team ensured immediate permanent deletion of all the content from the site. No client confidential material or documents were exposed or made public in this incident” — TCS spokesperson
“The issue related to certain files on Github was brought to TCS’s notice few days ago. As soon as we were made aware about the existence of certain TCS files, our security team carried out a thorough investigation and has come to the conclusion that the files were TCS material ie draft solution documents being created as part of an intended proposal for clients. The security team ensured immediate permanent deletion of all the content from the site. No client confidential material or documents were exposed or made public in this incident. The said site also had some code which was something that the concerned associate was using for his skill development. It neither belonged to TCS or any client.”
“Nobody wants to start a witch-hunt against contractors, Indian or otherwise. Whilst it was highly obvious in this particular leak that it originated at TCS, we often see bank IT problems and can’t tell who was ultimately responsible,” Coulls said.
He added that Indian outsourcing was just “one piece of a bigger jigsaw of problems.” “The nature of large outsourcing practices means that confidential information must regularly be exfiltrated from the bank… More care needs to be taken to ensure problems like this don’t happen,” he said.
There’s an app for that
Exposure of company secrets and files on Github is so commonplace that Fallible, a Bangalore-based cybersecurity firm, built Gitleaks.com, a tool that scanned terabytes of public data on Github for patterns of exposed secrets, such as database credentials, passwords, private keys, and more. The tool was shut down after a company (that he refused to name, due to legal threats) took a strong objection to it, said Abhishek Anand of Fallible, while declining to comment on the TCS breach. He said that Fallible plans to open source the code for Gitleaks soon.
Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.