The UpGuard Cyber Risk Research team has discovered and secured a data exposure containing medical information for hundreds of individuals and bank account numbers for several large Australian enterprises, preventing any future exploitation of this information. The information belonged to OneHalf, a business process outsourcing firm operating in the APAC region, and was exposed via a set of public Github repositories. The projects' commit history showed they had been under development on Github for at least two years, and were still being actively updated while UpGuard notified OneHalf. Identifying and securing these projects almost certainly prevented more personal and corporate information from being committed to the publicly accessible repositories.
On August 9, 2018, an UpGuard analyst discovered a repo named "HRIS," which the readme explained was for "Onehalf Human Resources Information System. CENTRALIZED DATABASE FOR ALL SYSTEMS." The owner of HRIS also had several more public repos, many with "OH"– presumably for "OneHalf"– in the name. The most significant databases were those containing personal information for its employees and banking information for large businesses that were likely OneHalf's customers. On August 22, an UpGuard analyst confirmed that these repositories were no longer publicly accessible.
The most important information in the "HRIS" project was in a 1.2MB file named "hrisdb-02012018.sql," suggesting this file was exported early in 2018. As the project’s description suggests, this project appears to be a centralized database of information generated and/or used by the related projects. As a master human resources database, hrisdb-02012018.sql contained a variety of detailed information on hundreds of OneHalf employees.
The table "employees" contained full personal information for approximately 250 individuals, such as name, date of birth, phone number, address, personal and work email addresses, and blood type. In addition to the 250 individuals with apparently complete records, there were another 20 at the end of the table– the most recently added rows– with only their names and id numbers present. Given the function of these projects, it appears that these were new employees whose data had not yet been added to the system at the time this database dump was created.
In addition to the 38 data points for each employee in the "employees" table, the table "medicalrecord" captured a further 91 data points of medical history. For some conditions, like asthma, constipation, diabetes, seizures, depression, and HIV/AIDS, either a 0 or 1 was recorded to indicate its presence of absence. Other data was recorded as lists, like heritable diseases and allergies, or numerical values, like number of pregnancies, height, weight, and BMI.
The bulk of the exposed personal information was contained in the "employees" and "medicalrecord" tables, but other tables included additional details about the employees' lives: their available hours each day of the week, the dates and reason for any leave requests, for which clients they worked, and their educational status. Lastly, information for 237 emergency contacts was also exposed, including name, relationship, address, and phone number.
Finally, a table named "users" contained 300 usernames and plaintext passwords. The passwords appear to be used for interacting with the internal OneHalf systems stored in these repositories. Many but not all of the passwords were the same value, suggesting there was a default that some employees had updated to be unique but that could have been used to gain unauthorized access to other users' files.
In addition to the personal information exposed for OneHalf employees in the project "HRIS," another project named "ohserviceform" included a list of 28 companies operating in Australia that appear to be OneHalf clients. For many of these companies, their banking BSB and account numbers were also listed in plain text. While BSB numbers are public, account numbers are not, and unauthorized possession of these numbers make it easier to commit a range of financial crimes. In some cases the contact information for the individuals at those accounts was also included, further heightening the potential for fraud. Most of the companies involved in the exposure operate in transport and logistics, but there were also banking, insurance, and manufacturing businesses in OneHalf's client list.
While relatively small in scale compared to other breaches secured by the the UpGuard Cyber Risk team, the case of OneHalf highlights how pervasive such exposures are and how intensely personal the data exposed can be. When process failures lead to such events, they can easily expose multiple types of data, putting individuals and businesses at risk. Indeed, while these types of data can be separated, the risk they pose cannot. When personal data is exposed, the businesses relying on those individuals are also at risk, and when businesses are compromised, the effects can reach to their customers and employees.