Not just incompetence, also a culture of unethical conduct in Scotiabank
The story and comments are rightfully talking about incompetence. Keep in mind the Scotiabank’s security department, which is called Information Security and Control inside the bank, embodies underhand and unethical conduct. There is a branch in the security depart called Information Security Advisory Services that is supposed to do security risk assessments of all Scotiabank technology products and services as a gatekeeper function. Unfortunately their Security Advisory is marred not just by poor competence, but also because of falsified assessments and risk profiling.
This Security Advisory group is well groomed to make any serious security gaps and risk impact findings, in their so-called assessment reports, as low impact or low risk (no matter what the real risk is). If you read security risk assessment documents of Scotiabank, most, if not all, threats from their services are classified as low or inconsequential impact.
So, the incident or breach like this one should not come as a surprise. If you don’t believe me ask Scotiabank CISO to make available reports called TRA (threat and risk assessment) for their customer, Internet facing services.
Biting the hand that feeds IT
