Information security audit specialists reported that HCL, an important IT services company, left exposed online the passwords of its employees, among other data, such as confidential information related to the company clients’ projects.
According to reports, an online portal of the company’s human resources area exposed names of newly-entered employees, usernames for the platform, and simple text passwords. According to the company, the site remained active during the data exposure period, compromising the accesses of about 54 new employees.
The full profile of the compromised employees includes information such as:
- Employees’ full names
- Phone numbers
- First day at work date
- Recruiter’s SAP code
The exposed data could have been used by malicious hackers to log into the company’s networks, access sensitive systems, and even take control of employees’ email accounts to deploy phishing campaigns against other HCL employees, commented the information security audit specialists.
This incident may have exposed confidential intellectual property of both the company and its clients; regularly, this information is treated as trade secret, so access to information hosted by HCL can be really useful for customers and competitors.
A spokesman for the company stated: “In HCL we take information security very seriously. As soon as we discovered this security incident, we took the necessary steps to resolve the problem as soon as possible. In addition, our security teams will perform a thorough review to know exactly what happened and prevent it from happening again.
According to the information security audit specialists, SmartManage, an HCL portal to share information on the company’s projects with its clients was also compromised, exposing information such as:
- Internal analysis
- Productivity reports
- Software Installation reports
Recently, specialists from the International Institute of Cyber Security (IICS) reported a serious security incident in Wipro, one of the largest competitors in HCL; during this incident, hackers seized the Wipro systems to launch attacks against some of the company’s clients. For now there is no evidence to prove that something similar happened in HCL, although the possibility should not be ruled out.