IT services provider HCL Technologies has inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains.
HCL, an $8 billion conglomerate with more than 100,000 employees, specializes in engineering, software outsourcing and IT outsourcing. As such, it manages an influx of data regarding in-house personnel and customer projects.
On May 1, researchers discovered several publicly accessible pages on varying HCL domains, leaving an array of private data out in the open for anyone to look at. That includes personal information and plaintext passwords for new hires, reports on installations of customer infrastructure, and web applications for managing personnel from thousands of HCL customers and employees within the company. The data was secured on May 8.
“All of the data was available on subdomains of a domain owned by HCL,” Greg Pollock, VP of product at UpGuard, told Threatpost. “Many of the pages that allowed public access had been indexed by search engines. One subdomain was dedicated to human resources and included new employee names, email addresses, phone numbers, and passwords.”
It’s unclear whether malicious actors accessed the data, but researchers stressed that credentials and internal IDs could be used to log into other HCL systems, while other customer and employee data could be used for other nefarious purposes, such as phishing attacks, they said.
“The most obviously sensitive data were the freshly minted passwords for new hires,” researchers with UpGuard, who discovered the exposed data, said in a Tuesday post. “But credentials are valuable because they provide access to information, and the detailed and long-running project plans are the kind of information an attacker might abuse credentials to access. Furthermore, the pages accessible here show how identifying information like internal IDs can be used to expand the scope of a breach to collect more information.”
Several subdomains were included in the set of resources with personnel-specific information from HCL, researchers said – including the information for hundreds of new hires and thousands of employees.
Click to Expand
One such subdomain, containing pages for various HR administrative tasks, allowed anonymous access to a dashboard for new hires. This included records for 364 personnel, dating from 2013 to 2019 (In fact, 54 of the new hire records were as recent as May 6).
Most critically, the data exposed cleartext passwords for new hires, which could be used to access other HCL systems to which these employees would be given access. Also exposed were candidate IDs, names, mobile numbers, joining dates, recruiter SAP codes, recruiter names and a link to the candidate form.
Another personnel management page listed the names and SAP codes for over 2,800 employees.
In addition to HCL employees, the company was also accidentally exposing thousands records for customers.
That’s because a reporting interface for HCL’s “SmartManage” reporting system – which facilitates project management for customers – exposed information regarding project statuses, sites, incidents and more to anyone, unprotected by authentication measures.
That included internal analysis reports, detailed incident reports, network uptime reports, order shipment reports and more for over 2,000 customers.
The internal analysis report page included “Detailed Incidences Report,” which listed about 5,700 incidents (including 450 recent records for April 2019). This page exposed data about various incidents within customer projects, including the duration, reason and description. Also exposed was the “Service Window Uptime Report” which detailed service uptime and any service issues having to do with customer projects. Researchers were also able to access weekly customer reports, including 18,000 records in 2019 for tracking system performances.
Finally, more than 1,400 records were exposed from 2016 to 2018 as part of the “Reason Analysis Report” which outlined shipments, customer issues and other data. This included names, email address, and mobile phone numbers for fifteen cab hubs and seven bus hubs.
The data was first discovered on May 1 when an Upguard researcher, who was monitoring for the exposure of sensitive information for customers, discovered a publicly accessible file on Upguard’s domain.
After this initial discovery, it took a few more days to ascertain how big the exposure was: “Due to the nature of the exposure, ascertaining its extent required several days of work,” researchers said. “Whereas a typical data exposures involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI.”
On May 6, after reaching a reasonably complete level of analysis of the public pages and data, the researcher notified HCL. On May 8, the data was fully secured.
“I contacted HCL twice,” Polluck told Threatpost. “In the first notification I linked five subdomains with pages with information of varying degrees of sensitivity, and two pages with the most sensitive data to highlight the kinds of information available. By the next morning, those pages were inaccessible, but pages on the other subdomains were still accessible. I sent a second email linking to more pages. Again, anonymous access was removed by the next morning. I never received a response. HCL was quick to act but did not engage with us.”
HCL did not respond to a request for comment from Threatpost.
Inadvertent data exposure continues to plague companies – in fact, according to the recent Verizon Data Breach Investigations Report, insider-initiated incidents account for 34 percent of data breaches, with many of these being accidental exposures as opposed to malicious.
In many cases, data may be posted on a software-as-a-service application (such as Trello), or hosted on an infrastructure-as-a-service platform like Amazon Web Services. For instance, recently in May misconfigured cloud databases inadvertently leaked personally identifiable information (PII) in the care of two companies: The Ladders headhunting and job recruitment site, and the SkyMed medical evacuation service. And in April an ElasticSearch database that was left open to the internet exposed about 4.9 million data points of personally identifiable information (PII) related to individuals seeking treatment at an addiction treatment facility, Steps to Recovery.
In HCL’s case, the publicly accessible data was available for download straight from HCL domains.
“A large services provider like HCL necessarily manages lots of data, personnel, and projects,” researchers said. “That management complexity writ large is the root cause of data leaks in general. In this case, pages that appeared like they should require user authentication instead were accessible to anonymous users. The fact that other pages on those same apps did require user authentication speaks to the challenge that causes data leaks: if every page must be configured correctly, eventually a misstep will result in an exposure.”
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.