Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform.
Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found.
He suspects the code belonged to a developer who has left the telco.
Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery, after which the news site contacted Rogers.
One problem is the code he saw describes data payloads and how it goes between databases and web services.
“You can use that to get to the stuff that people [thieves] would go after,” he explained.
In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”
But in an interview with IT World Canada this morning Coulls said the problem is worse. Earlier today he discovered five more open folders on GitHub apparently with Rogers’ customer data.
“It has device identifier, customer’s phone number, how much they paid for it, how much Rogers paid in subsidies, what is on their plan. By most definitions that is a breach. It’s not a big one, but it’s a breach,” he said.
UPDATE: Late this afternoon Sarah Schmidt, Rogers director of public affairs, issued this statement to ITWC: “With respect to the links we have analyzed [on GitHub] to date, we have found very limited disjointed pieces of information that do not identify specific customers, and the links are being removed.”
The statement didn’t specify, but an update to the Register story now includes a link to an application made by Rogers to take down two GitHub repositories with proprietory information created by ex-employees.
“With respect to the code and private keys for the web-based application we have analyzed,” the statement goes on, “they have been obsolete for many years, and of the closed back-office applications we have reviewed to date, they are not accessible on the internet and the passwords to access them are disabled.”
Coulls often hunts GitHub looking for unprotected data belonging to Canadian banks so they can be warned.
Last September he accused Scotiabank of poor security after discovering someone had left bank application source code and private login keys to backend systems open on GitHub repositories.
Canadian banks are among the companies that aren’t tough enough on internal developers or contractors who are hired for application work, he said, and major firms should forbid developers from posting code on external repositories like Github.
In addition, Coulls is adamant that IT security teams need to be more aggressive in searching not only their own sites but sites like Github for unsecured applications.