I used to work at Bank of America as a level 2 app analyst back when they first started building Quartz. At the time, it was advertised internally as a system to be used for reporting, and so it had lots of built-in functionality to connect to databases, etc. Pretty neat.
That said.
The method of encoding production database credentials was rot-13. No joke. In the Quartz interface, you could double click on a starred-out set of credentials, and it would run rot-13 on it and display the password. This was for FX, rates, credit card, mortgage, etc etc etc. Having access to this cloud system gave effective access into all of Bank of America and Merrill Lynch.
They probably save a lot of their money by using very, very bad practices.
Still only the second worst security fail I've seen.
That said.
The method of encoding production database credentials was rot-13. No joke. In the Quartz interface, you could double click on a starred-out set of credentials, and it would run rot-13 on it and display the password. This was for FX, rates, credit card, mortgage, etc etc etc. Having access to this cloud system gave effective access into all of Bank of America and Merrill Lynch.
They probably save a lot of their money by using very, very bad practices.
Still only the second worst security fail I've seen.