IT services giant HCL has left online passwords for employees and customer project data and other sensitive information, all without any form of authentication, according to research by security consultancy firm UpGuard.
An HCL staff portal published new employee names, usernames and passwords for clear text. "The most sensitive stuff was on an HR portal and had a report for new employees, and it was clearly used actively," Greg Pollock, vice president of the product at UpGuard, told CSO. "Fifty-four people had been on board the time I had found this."
The exposed new employee data, according to the UpGuard report, include "candidate ID, name, mobile number, accession date, accession location, recruiter SAP code, recruiter name, created date, username, cleartext password, BGV status, accepted offer and a link to the candidate form. "
This information could be used by malicious actors to log into HCL systems to access other sensitive systems, or even to gain control over a new employee's email account and legitimate-looking phishing emails. send to others within the company or to HCL customers.
"(An attacker) could have gotten these passwords and if a user is logged in, although of course I cannot test that," says Pollock, while investigating publicly available data is legal, unauthorized access would be a violation of CAFA.
The lack of authentication exposed intellectual property (IP) to both HCL and its customers. The status of project implementations is usually a trade secret and IT outsourcers are known to harass each other's top talent. Just knowing what HCL is working on is valuable information for any number of competitors.
The new employee passwords, which were incorporated into the UpGuard report, turned out to be randomly generated and of a reasonable complexity, Pollock says, but were subsequently published online to see the world. "These are IT employees, these are not their Spotify passwords," says Pollock. "These are company accounts for people who will be serving HCL customers."
A HCL spokesperson gave CSO this statement about the event: "HCL Technologies takes data security extremely seriously." Immediately after we learned the problem, we quickly took action and resolved. Our team is conducting a thorough assessment to determine exactly what happened and implement measures to ensure that it does not happen again. "
The discovery of this exposed data comes on the heels of a greater scandal at HCL & Wipro's competitor, whose systems were hacked and used to launch attacks on Wipro & # 39; s customers. There is no evidence yet that attackers used the exposed HCL staff to attack HCL customers.
HCL customer project details also visible
HCL & # 39; s SmartManage portal, which was used to share project data with customers in real time, was also affected. A drop-down list on the portal contains a list of around 2,000 customers, including many Fortune 1000 companies. In addition to the usability nightmare of a 2,000 item drop-down menu, the exposed project data includes customer-sensitive information such as internal analysis reports, weekly customer reports, and installation reports.
These project reports provide a detailed picture of the current status of each customer site, "valuable information for a project manager – or a potential attacker," notes the report from UpGuard.
A notable customer was the State Bank of India (SBI) and their project to deploy and maintain a fleet of ATMs in India, connected via VSAT (Very Small Aperture Terminal) satellite dishes. SmartManage reported around 5,700 "detailed incident reports" for the ATMs, as well as "service window uptime reports."
The HCL subdomains also displayed names and SAP codes for more than 2,800 employees, including a publicly available web application that allows users to search and "deactivate" employees, although UpGuard claims that they have not tested this functionality for legal reasons.
A GDPR victory: DPO & # 39; s work
A bright spot for this incident was that HCL published the contact details of its data protection officer (DPO) on its website, making it easy for UpGuard to report the exposed data. Although HCL never responded to the UpGuard report, the data was no longer publicly available 24 hours later.
"It is a big problem for researchers to find someone who needs to be notified so that they can take action," says Pollock. "But HCL has set it up well, someone is really on the other side of the things that cause it."
The root cause of the problem seems to be that there are poorly managed permissions for HCL subdomains. "The rights were page by page, which is a very difficult way to manage security," says Pollock. "Instead of having to do it right once, you have to do it right every time."
"And when people have to do well every time, they don't," he adds. "That was the case here."