IT Services Giant HCL: Latest Organization that Inadvertently Leaks Sensitive Data
IT services giant HCL Technologies, an $8 billion company that operates in 44 countries and has more than 100,000 employees, is the latest organization found to have inadvertently exposed its sensitive data online.
UpGuardrecently revealed that a member of its Data Breach Research team discovered on May 1, 2019 publicly accessible information belonging to information technology services provider HCL. According to UpGuard, members of its research team didn’t specifically search for HCL data leak, but the data leak discovery was an offshoot of a keyword-based and datacentric online search to check exposures of sensitive information belonging to UpGuard’s customers.
Due to the nature of the data exposure, UpGuard said it took several days to determine the extent of the data leak. On May 6, 2019, with a clear overview of the extent of the data leak, UpGuard notified HCL about the data leak. Less than 48 hours after the data leak notification, HCL sealed off the sensitive data from public view.
UpGuard said that the data inadvertently exposed could be accessed anonymously by anyone via HCL’s web portal without the need for authentication. Part of the inadvertently exposed data was found on HCL’s human resource web portal for new hires that included records of the company’s personnel that dates back to 2013. The exposed data for new hires included candidate ID, name, mobile number, joining date, joining location, recruiter name, created date, user name, clear text password, job offer accepted and a link to the candidate form.
Another part of the inadvertently exposed data was found on HCL’s SmartManage, a web portal that serves as a project and network management tool, enabling HCL’s customers to track their projects. A dropdown on the SmartManage portal included a list of close to 2,000 customers, many of them part of the Fortune 1000 list.
While none of the inadvertently exposed data under this SmartManage portal that was accessible to anonymous users included credentials, a substantial amount of information about HCL’s customers such as project statuses, sites, incidents, and other information was accessible to anonymous users.
Another inadvertently exposed data on HCL’s SmartManage portal that were accessible to anonymous users included escalation matrix for transportation service, with a page containing names, email address and mobile phone numbers for cab hubs and bus hubs.
“HCL Technologies takes data security extremely seriously,” HCL said in a statement. “As soon as this incident was reported, HCL took immediate action to block the inadvertent access. Based on our investigation of this specific issue, we have determined that no sensitive employee or customer data was accessed, compromised or exposed in any way, per any applicable privacy regulations.”
Prevalence of Inadvertent Data Leaks
In April this year, UpGuardreported another inadvertent data leak, this time, involving Mexico-based media company Cultura Colectiva, a partner of Facebook. Cultura Colectiva’s Amazon S3 bucket, containing over 540 million records detailing comments, likes, reactions, account names, Facebook IDs and more, was inadvertently misconfigured to allow public download of files.
The 2019 Verizon Data Breach Investigations Reportshowed that 34% of data breaches were insider-initiated incidents, majority of which (21%) were accidental exposures. Insider errors, which include sending data to the incorrect recipients (either via email or by mailed documents), exposing data on a public website (publishing error) or misconfiguring an asset to allow for unwanted guests continue to be an issue, the report said.
“System administrators are creeping up and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of insiders is most often in the form of errors,” this according to the 2019 Verizon Data Breach Investigations Report.
The 2018 Cost of a Data Breach Study: Global Overview, a study conducted by Ponemon and commissioned by IBM, found that human error was one of the main root causes of data breaches on a consolidated basis for organizations in all countries in 2017. The Ponemon-IBM study found that 27% of the data breach incidents on 2017 were caused by negligent insiders – referring to individuals (employees or contractors) who caused a data breach because of their carelessness, as determined in a post data breach investigation.
Cybersecurity Best Practices
One take away with the recent inadvertent data leak at HCL is the fast action of the company, that is, it made the known data exposures inaccessible in just less than 48 hours upon notification.
According to UpGuard, the quick action on the part of HCL could be attributed to its Data Protection Officer, with the contact email address of this officer clearly advertised. Due to the lack of public, correct contact information for the responsible party, UpGuard said, many inadvertent data leaks remain public long after detection.
In the case of Cultura Colectiva data leak, UpGuard notified the company twice in January 2019 and Amazon twice in late January and late February this year. The Cultura Colectiva data leak was only sealed from public view in early April this year after Facebook was contacted by Bloomberg for comment.
Implications of inadvertent data leaks are far-reaching. Inadvertently exposed data that are meant for project managers when they land in the hands of malicious attackers could prove disastrous. For instance, this exposed sensitive internal data could be sold to competitors or for the purpose of wasting valuable resources of the affected organization. Exposed passwords, meanwhile, could be used by malicious actors to access other systems in the affected organization or used for phishing attacks.
Understanding IT risks is essential for every IT department and for an IT service provider. Connect with our trained, certified and experience information security team at (416) 920-3000or email firstname.lastname@example.org we will show you how to minimize the likelihood of a sensitive data leak at your organization.