The security firm UpGuard said it had found a file containing customer keywords publicly accessible on an HCL domain and subsequently discovered that there were other pages containing personal and business data.
According to Wikipedia, HCL has offices in 44 countries, more than 137,000 employees and counts among its clients 250 of the Fortune 500 and 650 of the Global 2000 companies. "It is among the top 20 largest publicly traded companies in India with a market capitalisation of US$18.7 billion as of May 2017. As of May 2018, the company, along with its subsidiaries, had a consolidated revenue of US$7.8 billion," Wikipedia adds.
The exposed data was found on 1 May but ascertaining the extent of the information that was open took a number of days, the company said.
"These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data."
HCL was notified of the exposed data on 6 May, including "links to five subdomains hosting pages with some kind of business information and two URLs for pages as examples of what could be found on those subdomains".
Regarding details of the data open to public view, UpGuard said one subdomain contained pages for various human resources administrative tasks. While not all pages were accessible, those that were viewable contained plenty of personal information, some of which was very recent.
"A dashboard for new hires included records for 364 personnel. The oldest were from 2013, but over two hundred records were from 2019. In fact, 54 of the records were for people who joined on 6 May 2019," UpGuard wrote.
The data that was exposed included included ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate's form.
A second page found by UpGuard was from personnel management and listed the names and SAP codes for more than 2,800 employees.
UpGuard also found internal analysis of some 5700 incidents, with fields labelled VSAT ID, Location, ATM ID, Start time, End time, Duration, Reason, and Description. The “Service Window Uptime Report” includes VSAT ID, Consignee, City, Accountable Uptime, Comnet Issue, Non HCL Comnet, Customer issue, Uptime. There were 450 records for April of 2019, 450 records for January of 2019, and 521 records for January 2018.
UpGuard said the fact that HCL had a data protection officer who was easily contactable ensured that the leak was plugged soon after the company was notified.
"Though HCL never responded to UpGuard, they took action immediately on notification. Many exposures remain public long after detection due to a lack of public, correct contact information for the responsible party," UpGuard commented.
Contacted for comment, an HCL spokesperson told iTWire: "HCL Technologies takes data security extremely seriously. Based on our investigation of this specific issue, we have determined that no sensitive employee or customer data was accessed, compromised or exposed in any way, per any applicable privacy regulations.
"We remain deeply committed to the values of trust and transparency that underpin our relationship with our employees and customers."