- Multiple subdomains operated by HCL were found to be publicly exposed.
- The sensitive data exposed includes personal information and plaintext passwords for new hires, customer reports, and dashboards for managing personnel.
Indian IT firm HCL has come under the scanner after it left sensitive information such as employee passwords, as well as certain customer details out in the open. The alarming discovery was made by a security researcher from UpGuard.
The researcher found that sensitive information did not have any authentication measures and was publicly available. Upon being informed by the researcher, the technology service provider took down the exposed data.
Multiple subdomains of HCL were found spilling sensitive information. Initially, a single file containing customer keywords was found to be openly available for download from an HCL-owned domain. Subsequent searches on this domain led to the discovery of other publicly accessible pages with personal and business data.
What information was exposed?
One of the exposed subdomains contained a webpage with a dashboard for HR-related tasks. This dashboard contained records of 364 new employees. It included “candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form.” Another page exposed names and SAP codes of more than 2,800 employees.
HCL’s “SmartManage” reporting system was also exposing confidential reports through its interface. This included ‘Internal Analysis Reports’, ‘Weekly Customer Reports’ and ‘Installation Reports’ that were related to HCL’s clients.
Another page displayed the names, email address, and mobile phone numbers for fifteen cab hubs and seven bus hubs. In addition, a system known as “Smart Recruit” showed details of approvers in the hiring process.
Response from HCL
UpGuard observed that HCL remediated the data exposure quickly when it informed the firm. “HCL has a Data Protection Officer, which not all companies do. The existence of that role is clearly advertised, and an email address for contacting them easy to find. Though HCL never responded to UpGuard, they took action immediately on notification,” the researchers wrote in their blog post.