Early this morning news began to break that GitHub repositories containing application source code, private login keys, and more sensitive information had been discovered online. To the shock and horror of the information security community this absurdly sensitive, treasure trove of data was found to belong to The Bank of Nova Scotia. Yes, there’s been a Scotiabank leak. Scotiabank, the 3rd largest bank and member of the “Big 5” in Canada.

This is the latest high profile example of unchecked data exposure that could have huge ramifications for yet another organization. This story is still developing but this post will review the facts as they have been provided by Jason Coulls, the researcher who found the information publicly available and notified The Register, which then notified Scotiabank.


The repositories Coulls found could go on to impact everything Scotiabank touches as software blueprints and access keys for a foreign exchange rate system, mobile application code, login credentials for services and database instances, and other sensitive information was exposed for what Coulls says was months.

Source Code

Hundreds of files documenting code from Scotiabank’s Central and South American mobile applications were found as well, along with source code for integrating the banks’ systems with payment services. The screenshot we have from The Register clearly mentions Apple Pay and Samsung Pay, but US credit-card processors Visa and Mastercard were also named by The Register.

Employee Credentials

Credentials and keys to access some of the bank’s backend systems and services for branches around the world were also exposed. With over 3,000 branches worldwide, the amount of access a cybercriminal could have does have, or has had over the lifetime of this exposure could result in serious business consequences for the bank, such as a decrease in shareholder value or customer attrition.

Sensitive Company Data and Intellectual Property

Sensitive blueprints were also discovered, along with code and login details for what the researcher says is a SQL database system of foreign exchange rates.

“They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months,” Coulls told The Register.

“Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly.” – Jason Coulls, Cyber Researcher

At the time of this writing, Scotiabank had not made an official statement concerning the exposure, though a spokesperson has confirmed with The Register that, “acknowledged its security team is probing the matter.”

For now, only 2 details are known for certain:

1. Sensitive files with the ability to compromise or cripple portions of Scotiabank were available publicly – some it for months

2. Scotiabank has over 25 million customers

Sadly research reports human error is responsible for nearly ⅓ of breaches and was most likely to blame for the misconfigurations that made the information public.

“In my experience, this muppet-grade security is perfectly normal for Scotiabank…”


The damage is done and we will all be watching closely to see if there will be any major fallout from the data exposure. In the meantime, we can take what has been reported by the researcher and address the issue of data exposure through the proactive monitoring of digital assets. Had Scotiabank employed a solution like Matchlight, from Terbium Labs – their exposure may have been cut down to a day, or even less.

Matchlight continuously monitors your sensitive data and crawls the internet searching for it. Scotiabank would have been alerted immediately that their sensitive data was publicly available, giving their security team time to remediate the issue before a researcher or cybercriminal, and significantly reducing potential damages.

A reduction in the time it takes to identify and remediate is a reduction in costs and damages due to data exposure.

How it Works

For Scotiabank’s source code, employee credentials, and other sensitive data- Matchlight would deploy its fingerprinting technology to create unidentifiable “fuzzy-hashes” that would correspond with the files they wanted to protect. Matchlight would have dove into the open, deep, and dark web searching for Scotiabank’s digital assets. As soon as exposed data is identified, Matchlight returns back an actionable alert within the platform’s dashboard.

As a multinational bank, Scotiabank should be worried about the sharing of sensitive data – even if that sharing is for the purpose of reducing data risk by monitoring for data loss exposure. This challenge is also addressed by Matchlight’s patented fingerprinting technology.

By generating fuzzy hashes within the network perimeter, Terbium Labs never sees Scotiabank’s sensitive data. And, as an added benefit, our fingerprinting aids in exact match capability to return the most accurate alerts, reducing noise and increasing efficiency for Scotiabank’s analysts.

Additional information on the next steps for the bank or plans for remediation are not yet available, though the GitHub repositories were torn down soon after Scotiabank was notified.

Protect Yourself

Terbium Labs’ Matchlight can protect your corporate source code, employee credentials, blueprints, and other organizational data. Scotiabank is an unfortunate example of a reactive digital risk protection strategy, contact us today to learn how you can be proactive with constant monitoring of your assets on the open, deep, and dark web.