HCL Exposed Sensitive Data, Passwords In Plain Text Across Its Subdomains

Data leakages do not always occur through unsecured databases. Such incidents can also result due to other flaws. Most recently IT services provider firm HCL Technologies inadvertently suffered a major security breach. The firm HCL exposed sensitive data across its subdomains publicly.

HCL Exposed Sensitive Data

Reportedly, the IT firm HCL exposed sensitive data inadvertently across its subdomains. The incident remained unnoticed until UpGuard discovered the flaw. As stated in their blog post, the glitch publicly exposed employee data, customer details, and employee passwords in plain text.

They first discovered file available for public download from one of the firm’s domains. Scratching the surface further led them to various other subdomains exposing company records.

Some pages of a subdomain handling HR tasks exposed personal information and employment history of employees. The researchers could see a total of 364 records with more than 200 from 2019. Regarding the kind of data exposed, UpGuard stated,

The exposed data included candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form.

They could also see the names and SAP codes of more than 2800 employees, and the option to search and deactivate employees on other pages.

other than the employee data, the company also exposed explicit records regarding their projects, internal analysis reports, customer reports, various installation reports, escalation matrix for transport service, and the admin panel of recruiting system.

HCL Fixed The Flaws

UpGuard first discovered the breach on May 1, 2019. However, it took them time to confirm the incident owing to its peculiarity.

Due to the nature of the exposure, ascertaining its extent required several days of work. Whereas a typical data exposures involves one collection of data, either in a single storage bucket or database, in this case the data was spread out across multiple subdomains and had to be accessed through a web UI. These constraints expanded the scope of analysis and limited the speed with which the analyst could access the data.

UpGuard then reported the matter to HCL on May 6, 2019, and on May 8, 2019, two days after their report, the analyst confirmed the data was inaccessible to anonymous users. While the researchers did not hear from the firm, they did appreciate HCL’s promptness in handling the matter. They also appreciate the presence of a dedicated position of Data Protection Officer at the firm. They emphasize that such a position with clearly advertised contact information made it easier to report the security flaw.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients