Security Market Segment LS
Wednesday, 22 May 2019 08:57

Indian outsourcer HCL leaks personal, business data on Web

Indian outsourcer HCL leaks personal, business data on Web Pixabay

Indian outsourcing company HCL Technologies — formerly known as Hindustan Computers Limited — has exposed personal information of employees, plaintext passwords for new hires reports on installations of customer infrastructure, and web applications for managing personnel on an unprotected domain.

The security firm UpGuard said it had found a file containing customer keywords publicly accessible on an HCL domain and subsequently discovered that there were other pages containing personal and business data.

According to Wikipedia, HCL has offices in 44 countries, more than 137,000 employees and counts among its clients 250 of the Fortune 500 and 650 of the Global 2000 companies. "It is among the top 20 largest publicly traded companies in India with a market capitalisation of US$18.7 billion as of May 2017. As of May 2018, the company, along with its subsidiaries, had a consolidated revenue of US$7.8 billion," Wikipedia adds.

The exposed data was found on 1 May but ascertaining the extent of the information that was open took a number of days, the company said.

"Whereas a typical data exposures involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI," UpGuard said in a blog post.

"These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data."

HCL was notified of the exposed data on 6 May, including "links to five subdomains hosting pages with some kind of business information and two URLs for pages as examples of what could be found on those subdomains".

Regarding details of the data open to public view, UpGuard said one subdomain contained pages for various human resources administrative tasks. While not all pages were accessible, those that were viewable contained plenty of personal information, some of which was very recent.

"A dashboard for new hires included records for 364 personnel. The oldest were from 2013, but over two hundred records were from 2019. In fact, 54 of the records were for people who joined on 6 May 2019," UpGuard wrote.

The data that was exposed included included ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate's form.

A second page found by UpGuard was from personnel management and listed the names and SAP codes for more than 2,800 employees.

UpGuard also found internal analysis of some 5700 incidents, with fields labelled VSAT ID, Location, ATM ID, Start time, End time, Duration, Reason, and Description. The “Service Window Uptime Report” includes VSAT ID, Consignee, City, Accountable Uptime, Comnet Issue, Non HCL Comnet, Customer issue, Uptime. There were 450 records for April of 2019, 450 records for January of 2019, and 521 records for January 2018.

UpGuard said the fact that HCL had a data protection officer who was easily contactable ensured that the leak was plugged soon after the company was notified.

"Though HCL never responded to UpGuard, they took action immediately on notification. Many exposures remain public long after detection due to a lack of public, correct contact information for the responsible party," UpGuard commented.

Contacted for comment, an HCL spokesperson told iTWire: "HCL Technologies takes data security extremely seriously. Based on our investigation of this specific issue, we have determined that no sensitive employee or customer data was accessed, compromised or exposed in any way, per any applicable privacy regulations.

"We remain deeply committed to the values of trust and transparency that underpin our relationship with our employees and customers."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments