The digital solutions firm HCL left accessible informationbelonging to some of its employees and customers.
The breach was first noticed by UpGuard when it came across personalinformation and plaintext passwords for new hires, reports on installations ofcustomer infrastructure, and web applications for managing personnel. Using a keywordsearch technique that trolls for exposed sensitive information UpGuardresearchers on May one found the file on various HCL domains.
“Whereas a typical data exposures involves one collection ofdata, either in a single storage bucket or database, in this case the data wasspread out across multiple subdomains and had to be accessed through a web UI.These constraints expanded the scope of analysis and limited the speed withwhich the analyst could access the data,” UpGuard wrote.
One subdomain exposed contained HR administrative informationwith “substantial amounts of personal information.” This included a dashboardfor new hires with records on 364 people with data from 2013 to 2019 thatcontained exposed data included candidate ID, name, mobile number, joiningdate, joining location, recruiter SAP code, recruiter name, created date, username, cleartext password, BGV status, offer accepted, and a link to thecandidate form, UpGuard reported.
UpGuard also found information on numerous tools, adminpanels and reports used and created by HCL to track everything from theprogress of certain projects to reports requested by its customers.
UpGuard whitewash HCL’s handling of all this information,but did note that in today’s world a firm HLC’s size, about 135,000 employees,has a very difficult task managing the mounds of data it compiles.
“That management complexity writ large is the root cause ofdata leaks in general. In this case, pages that appeared like they shouldrequire user authentication instead were accessible to anonymous users. Thefact that other pages on those same apps did require user authentication speaksto the challenge that causes data leaks: if every page must be configuredcorrectly, eventually a misstep will result in an exposure,” UpGuard concluded.