TCS Manager Shares Confidential Client Data On Github, Security Researcher Calls It “Stupidity On Massive Scale”

There’s been a spate of hacking scandals in recent months, and digital institutions have been on high alert. Employees handling critical data have been warned to be careful of the links they click and the sites they access — you never know when someone’s looking for a misstep to hack into your systems. But no precautions can help if you go ahead upload confidential data for the world to see.

A TCS Kolkata manager has reportedly uploaded critical client documentation and code on Github, a Canadian researcher has said. “You can’t sugarcoat this. It’s stupidity on a massive scale,” Jason Coulls wrote in his blog, while sharing a screenshot of the data. The archive he found had development notes, raw source code, internal reports on web banking code development plans, and records of telephone calls with outsourcing partners.



The data pertained to six big Canadian banks, two well-known American financial organizations, a multinational Japanese bank, and a multibillion dollar financial software company. “The good news is that none of it was banking customers’ data, it was mainly auxiliary data,” Coulls told The Register late last week.

“But there was still a lot of useful stuff there – not just for hackers but for the firm’s competitors. The first bank that gets in to look at it gets to see what everyone else is doing. There was a monumental common sense failure.”

Github is a code repository where anyone can upload and manage code, but with the incorrect settings, the code can be publicly visible. The TCS files were reportedly even indexed by Google, which meant that they’d have been thrown up after a simple Google search. The data was deleted after Coulls alerted the banks in question. Coulls was also able to identify the manager who’d uploaded the data, and according to his LinkedIn profile, he’s still employed with TCS.

Coulls has been scathing in his assessment of the situation, and has hinted that sending critical data to Indian consulting companies adds security vulnerabilities for big banks. This won’t come as good news for Indian outsourcing companies, which are already reeling from President Trump’s orders, pressures on margins, and looming threats of layoffs. The last thing they need right now is employees sharing critical data on their Github profiles.