HCL’s employee data left exposed online for the world to see

It included vital information on HCL’s 2000 clients and critical projects as well.


In a rare case of data leak, sensitive data and information pertaining to IT company, HCL, got exposed online. Employee passwords as well as details of customers’ projects details and other sensitive data, were all out there for anybody to view and misuse.

The HCL human-resource portal, which was active and in use, showed names of the newly -recruited employees, their usernames and clear text passwords. The candidate IDs, names, mobile numbers, joining date, joining location, recruiter SAP code, recruiter name, created date, username, clear text password, BGV status, offer accepted as well as a link to the candidate form were all exposed without authentication.

Such delicate data can be misused by people to get into the HCL system and then gain further access to more sensitive data. The data could have been inappropriately used to access the e-mail accounts of the new recruits and send phishing e-mails to people inside the Company or to the clients.

HCL’s intellectual property (IP) belonging as well as that of its clients was out there for the taking. This is a big risk, especially in the IT sector where competition is tough. Data pertaining to HCL’s projects and clients, in the hands of competitors would be enough to ruin the Company’s standing. As it is, rival companies are known to poach each other’s talent.

Despite the employee passwords being complex and randomly generated, their exposure rendered them rather useless. Besides, these passwords, that belonged to employees who were allocated to important and prestigious client projects, and therefore, gave away vital and invaluable information.

In addition to the employee data, customer-sensitive information such as internal analysis reports, weekly customer reports and installation reports of 2000 clients were also exposed.

This mismanagement by the Company was noticed by UpGuard, a security-consultancy firm. When the firm brought the leakage to the notice of HCL’s data protection officer, within a span of 24 hours all the exposed information became unavailable.

Comment on the Article

Please enter your comment!
Please enter your name here

eleven + nineteen =