Security Market Segment LS
Wednesday, 22 May 2019 08:57

Indian outsourcer HCL leaks personal, business data on Web

By
Indian outsourcer HCL leaks personal, business data on Web Pixabay

Indian outsourcing company HCL Technologies — formerly known as Hindustan Computers Limited — has exposed personal information of employees, plaintext passwords for new hires reports on installations of customer infrastructure, and web applications for managing personnel on an unprotected domain.

The security firm UpGuard said it had found a file containing customer keywords publicly accessible on an HCL domain and subsequently discovered that there were other pages containing personal and business data.

According to Wikipedia, HCL has offices in 44 countries, more than 137,000 employees and counts among its clients 250 of the Fortune 500 and 650 of the Global 2000 companies. "It is among the top 20 largest publicly traded companies in India with a market capitalisation of US$18.7 billion as of May 2017. As of May 2018, the company, along with its subsidiaries, had a consolidated revenue of US$7.8 billion," Wikipedia adds.

The exposed data was found on 1 May but ascertaining the extent of the information that was open took a number of days, the company said.

"Whereas a typical data exposures involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI," UpGuard said in a blog post.

"These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data."

HCL was notified of the exposed data on 6 May, including "links to five subdomains hosting pages with some kind of business information and two URLs for pages as examples of what could be found on those subdomains".

Regarding details of the data open to public view, UpGuard said one subdomain contained pages for various human resources administrative tasks. While not all pages were accessible, those that were viewable contained plenty of personal information, some of which was very recent.

"A dashboard for new hires included records for 364 personnel. The oldest were from 2013, but over two hundred records were from 2019. In fact, 54 of the records were for people who joined on 6 May 2019," UpGuard wrote.

The data that was exposed included included ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate's form.

A second page found by UpGuard was from personnel management and listed the names and SAP codes for more than 2,800 employees.

UpGuard also found internal analysis of some 5700 incidents, with fields labelled VSAT ID, Location, ATM ID, Start time, End time, Duration, Reason, and Description. The “Service Window Uptime Report” includes VSAT ID, Consignee, City, Accountable Uptime, Comnet Issue, Non HCL Comnet, Customer issue, Uptime. There were 450 records for April of 2019, 450 records for January of 2019, and 521 records for January 2018.

UpGuard said the fact that HCL had a data protection officer who was easily contactable ensured that the leak was plugged soon after the company was notified.

"Though HCL never responded to UpGuard, they took action immediately on notification. Many exposures remain public long after detection due to a lack of public, correct contact information for the responsible party," UpGuard commented.

Contacted for comment, an HCL spokesperson told iTWire: "HCL Technologies takes data security extremely seriously. Based on our investigation of this specific issue, we have determined that no sensitive employee or customer data was accessed, compromised or exposed in any way, per any applicable privacy regulations.

"We remain deeply committed to the values of trust and transparency that underpin our relationship with our employees and customers."

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments