Notable IT services company, HCL, has left a database online that includes identifiable and sensitive data of its employees, and the database is open for download from an HCL-linked domain, cybersecurity research organization UpGuard revealed.
The discovery was made on May 1st, 2019 and revealed that the public data exposed included personal information and plaintext passwords of new hires, reports on installations of customer infrastructure, and web application for managing personnel. Following the disclosure to HCL, the company has already made the exposed database inaccessible and secured the known data exposures.
“On May 6, after reaching a reasonably complete level of analysis of the public pages and data, the researcher sent a notification to HCL’s Data Protection Officer at email@example.com. That notification included links to five subdomains hosting pages with some kind of business information and two URLs for pages as examples of what could be found on those subdomains. On May 7, the analyst confirmed that those two pages could no longer be accessed without authentication but that pages on the other subdomains were still accessible. The analyst sent a followup email linking to other pages with HCL data, and on the next day, May 8, the analyst confirmed that those pages were also no longer accessible to anonymous users,” said the announcement from UpGuard.
UpGuard reveals that the said accessible data were located after days of work because the exposed data were included in multiple subdomains and had to be accessed through a web UI. One of the accessible subdomains located by the researchers contained pages for various HR administrative tasks. While not all pages in the subdomain were accessible, the team said that access to the subdomain also allowed anonymous access to substantial amounts of personal information, “some of it very recent.”
A dashboard for new hires included records for 364 personnel. The oldest was from 2013, but over two hundred records were from 2019. Fifty-four of the records were for people who joined on May 6, 2019. The exposed data included candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form.
“Among those data points, the most obvious risk is that the passwords could be used to access other HCL systems to which these employees would be given access,” the post reads.
HCL Technologies Limited (Hindustan Computers Limited) is an Indian multinational information technology (IT) service and consulting company headquartered in Noida, Uttar Pradesh. It is a subsidiary of HCL Enterprise. Originally a research and development division of HCL, it emerged as an independent company in 1991 when HCL ventured into the software services business. The company offers a vast tech-related product portfolio from software development to cybersecurity, to Infrastructure Management and Engineering. They also provide IoT and cloud services.
Their relationship with their clients is also one of the things that were compromised by the recent exposure of data as customer installation reports were also exposed online for anonymous users to consume.
“The ASP framework used on this site had a security feature that prevents requests from being submitted if they are not from the UI. This prevents the alteration of requests to go beyond the scope of what the user is authorized to access. Because the UI was fully available to anonymous users, this did not protect the data but did prevent bulk downloading of all data by calling the APIs directly. None of the data here included credentials, but there were substantial amounts of information about HCL projects.”
Internal analysis reports were also compromised exposing 5700 incidents of “detailed incidences report with the following labels: VSAT ID, Location, ATM ID, Start time, End time, Duration, Reason, and Description. The “Service Window Uptime Report” includes VSAT ID, Consignee, City, Accountable Uptime, Comnet Issue, Non-HCL Comnet, Customer issue, Uptime. There were 450 records for April of 2019, 450 records for January of 2019, and 521 records for January 2018, matching the regularity one would expect from some kind of standard monthly report.
Other data that were anonymously accessed by the researchers are the company’s Weekly Customer Reports, Installation Reports, Escalation matrix for transportation service, and administrative panel for recruiting approval chain.