HCL blunder leaves employee passwords, other sensitive data exposed
21 May 2019 | 0
IT services giant HCL left employee passwords exposed online, as well as customer project details, and other sensitive information, all without any form of authentication, research by security consultancy UpGuard reveals.
An HCL human resources portal published new employee names, usernames and clear text passwords. “The most sensitive stuff was on an HR portal and had a report for new hires, and it was very clearly being actively used,” Greg Pollock, vice-president of product at UpGuard, tells CSO. “Fifty-four people had been onboarded during the time period when I had found this.”
The exposed new employee data, UpGuard’s report says, included “candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, username, cleartext password, BGV status, offer accepted and a link to the candidate form.”
This information could have been used by malicious actors to log into HCL systems to gain access to further sensitive systems, or even to take control of a new employee’s email account and send legitimate-looking phishing emails to others inside the company, or to HCL’s customers.
“[An attacker] could have gotten these passwords and logged in as a user, although I of course can’t test that,” Pollock says, noting that while examining publicly available data is legal, unauthorised access would be a violation of the CFAA.
The lack of authentication exposed intellectual property (IP) belonging to both HCL and its clients. The status of project deployments is usually a trade secret, and IT outsourcers are known to poach each other’s top talent. Simply knowing what HCL is working on would be valuable information for any number of competitors.
The new employee passwords, redacted in UpGuard’s report, appeared to be randomly generated and of reasonable complexity, Pollock says, but were then published online for all the world to see. “These are IT workers; these aren’t their Spotify passwords,” Pollock says. “These are business accounts for people who will go on to service HCL’s clients.”
An HCL spokesperson gave CSO this statement regarding the event, “HCL Technologies takes data security extremely seriously. Immediately after learning of the issue we took action and resolved it quickly. Our team is in the process of conducting a thorough review to determine precisely what occurred and implement measures to ensure it does not happen again.”
The discovery of this exposed data comes on the heels of a larger scandal at HCL’s competitor Wipro, whose systems were hacked and used to launch attacks against Wipro’s clients. There’s no evidence yet that attackers have used the exposed HCL employee credentials to attack HCL customers.
Customer project details also exposed
HCL’s SmartManage portal, used to share project details with customers in real time, was also affected. A dropdown on the portal includes a list of around 2,000 customers, many of them Fortune 1000 companies. Beyond the usability nightmare of a 2,000-item dropdown menu, the project details exposed included customer sensitive information such as internal analysis reports, weekly customer reports and installation reports.
These project reports offer a detailed glimpse at the current status of each customer site, “valuable information for a project manager — or a would-be attacker,” the UpGuard report notes.
One noteworthy client was the State Bank of India (SBI) and their project to deploy and maintain a fleet of ATMs in India connected using VSAT (Very Small Aperture Terminal) satellite dishes. SmartManage listed around 5,700 “detailed incident reports” for the ATMs, as well as “service window uptime reports.”
The HCL subdomains also exposed names and SAP codes for over 2,800 employees, including a publicly available web application that permits users to look up and “deactivate” employees, although UpGuard says for legal reasons they did not test this functionality.
A GDPR win: DPOs work
One bright spot to this incident was that HCL published the contact details of its data protection officer (DPO) on its web site, making it easy for UpGuard to report the exposed data. While HCL never responded to UpGuard’s report, the data was no longer publicly available 24 hours later. (HCL had not responded to repeated requests for comment by time of writing.)
“It’s a huge problem for researchers to find someone to notify so they’ll take action,” Pollock says. “But HCL has it set up well. Someone is really on the other side of things taking care of it.”
The root cause of the problem appears to have been mismanaged permissions on HCL subdomains. “The permissions were on a page-by-page basis, which is a very difficult way to manage security,” Pollock says. “Rather than having to get it right one time, you have to get it right every time.”
“And when people have to get it right every time, they don’t,” he adds. “That was the case here.”
IDG News Service