IT services firm HCL left employee passwords and other sensitive data in leak

News by Rene Millman

Blunder leaves confidential information left in the open at Indian outsourcer. As well as data on its own employees, HCL also accidently exposed records of customers.

Security researchers have discovered web pages belonging to Indian outsourcing giant HCL left exposed online. The data included passwords and project reports on employees and customers.

According to a blog post by researchers at Upguard, a file was found with customer keywords publicly accessible on an HCL domain.

The public data included personal information and plaintext passwords for new hires, reports on installations of customer infrastructure, and web applications for managing personnel.

The data was unearthed on 1 May and was not secured until 8 May. There are no indications that hackers have accessed the data at present.

"Whereas a typical data exposure involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI," said researchers.

"These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data."

Researchers notified HCL on 6 May. including "links to five subdomains hosting pages with some kind of business information and two URLs for pages as examples of what could be found on those subdomains".

They added that one subdomain contained pages for various HR administrative tasks.

"A dashboard for new hires included records for 364 personnel. The oldest were from 2013, but over two hundred records were from 2019. In fact, 54 of the records were for people who joined on 6 May 2019," researchers said.

The exposed data included candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form. Among those data points, the most obvious risk is that the passwords could be used to access other HCL systems to which these employees would be given access.

As well as data on its own employees, HCL also accidently exposed records of customers. A reporting interface for HCL’s "SmartManage" reporting system exposed details of project statuses, sites, incidents, and more.

There was also a "detailed incidences report" that listed about 5700 incidents with fields labelled: VSAT ID, Location, ATM ID, Start time, End time, Duration, Reason, and Description.

Researchers said that in addition to taking to heart the risk of data leaks, business leaders should also note the effectiveness of HCL’s response.

"HCL has a data protection officer, which not all companies do. The existence of that role is clearly advertised, and an email address for contacting them easy to find. Though HCL never responded to UpGuard, they took action immediately on notification."

Paul Ducklin, senior technologist at Sophos, told SC Media UK that there are two big takeaways.

"The first is very general: when you upload resources to the cloud you owe it to your customers to know clearly and accurately how that data can be reached from the internet.

"You can outsource your data storage but you cannot outsource your responsibility. The second is very specific: don’t store plaintext passwords. Don’t do it, ever. Salt. Hash. Stretch.  If you don’t know what that means, you shouldn’t be handling passwords in the first place," he said.

Hugo van den Toorn, manager of Offensive Security at Outpost24, told SC Media UK that "Your organisation’s data is your responsibility, whether you are processing the data yourself or a third-party is handling the information. The same risk assessments and security measures should be taken to ensure it is protected at the appropriate level of security."

"Systems, especially when handling sensitive (personal) information such as recruiting and client information, should never be connected directly to the Internet. This poses a direct risk to the data that is on there. Whenever setting up such a system, ensure they are accessible internally by need-to-have basis. If employees need external access, provide this through a secured method such as a VPN," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop