HCL exposed employee passwords, project data: Australian security firm

Upguard says HCL Technologies fixed the error when it notified the Indian IT services company.

HCL Technologies, India's third largest IT services firm, left employee passwords, customer project details, and other sensitive information exposed online, but it fixed the issue when notified, said an Australian cyber security start-up. 

Upguard, in a blog post on its website, on Tuesday said a file containing customer keywords was publicly accessible, as were some pages with personal and business data.

"A dashboard for new hires included records for 364 personnel. The oldest were from 2013, but over two hundred records were from 2019. In fact, 54 of the records were for people who joined on May 6, 2019. The exposed data included candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form. Among those data points, the most obvious risk is that the passwords could be used to access other HCL systems to which these employees would be given access," the blog noted. 

However, upon reaching out to the data protection officer, whose details were available on the website, the issue was fixed. 

"HCL Technologies takes data security extremely seriously. As soon as this incident was reported, HCL took immediate action to block the inadvertent access. Based on our investigation of this specific issue, we have determined that no sensitive employee or customer data was accessed, compromised or exposed in any way, per any applicable privacy regulations. We remain deeply committed to the values of trust and transparency that underpin our relationship with our employees and customers. If there is any further information relevant to this incident, we will provide an update," said a company spokeswoman in an email response.