The digital solutions firm HCL left accessible information belonging to some of its employees and customers.
The breach was first noticed by UpGuard when it came across personal information and plaintext passwords for new hires, reports on installations of customer infrastructure, and web applications for managing personnel. Using a keyword search technique that trolls for exposed sensitive information UpGuard researchers on May one found the file on various HCL domains.
“Whereas a typical data exposures involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI. These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data,” UpGuard wrote.
One subdomain exposed contained HR administrative information with “substantial amounts of personal information.” This included a dashboard for new hires with records on 364 people with data from 2013 to 2019 that contained exposed data included candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form, UpGuard reported.
UpGuard also found information on numerous tools, admin panels and reports used and created by HCL to track everything from the progress of certain projects to reports requested by its customers.
UpGuard whitewash HCL’s handling of all this information, but did note that in today’s world a firm HLC’s size, about 135,000 employees, has a very difficult task managing the mounds of data it compiles.
“That management complexity writ large is the root cause of data leaks in general. In this case, pages that appeared like they should require user authentication instead were accessible to anonymous users. The fact that other pages on those same apps did require user authentication speaks to the challenge that causes data leaks: if every page must be configured correctly, eventually a misstep will result in an exposure,” UpGuard concluded.