- A U.S. federal jury ordered Tata Consultancy Services to pay Epic Systems Corp. $940 million after a TCS employee used credentials from a previous contract to illegally access confidential data.
- The employee reportedly accessed an Epic Web portal using prior TCS credentials for more than two years and even shared the credentials with other TCS employees.
- Epic, a U.S.-based healthcare software company, alleged that TCS, India's biggest outsourcing provider by revenue, used the accessed information to help one of TCS' competing healthcare software products.
In 2011 Kaiser Permanente contracted with TCS to test new versions of Epic software prior to installation. Epic reportedly intended to deactivate the TCS employee’s account after the project finished, but the account was instead listed as "expired." From there, the TCS employee was able to reactivate his account and use it in 2013 and 2014, according to court documents.
"This is basically every CIO and CISO’s nightmare – unauthorized access to sensitive data and information by offshore contractors that are a direct or indirect part of their supply chain," said Avivah Litan, vice president and distinguished analyst at Gartner Inc. in an email sent to the Wall Street Journal.
In addition to the long-term unauthorized access, other people used the TCS employee’s credentials to download over 6,000 documents and more than 1,600 files between June 2012 to June 2014. Epic was able to block the TCS employees’ credentials in June 2014.
TCS said "did not misuse or derive any benefit from downloaded documents from Epic System’s…portal," according to a statement posted to its website.
The case draws attention to some of the challenges associated with controlling permissions on jobs that include third-party contractors, a large part of the IT world.
Last month, a New York-based IT contractor outsourced government work to India, a move that violated state security rules, according to New York investigators. Focused Technologies Imaging Services, which had a $3.45 million contract to scan and index 22 million fingerprint cards from the New York State Division of Criminal Justice Services, hired an India-based company to perform significant portion of the work, according to state officials and reported by Computerworld. The company was fined $3 million for the infringement and was required to hire an independent monitor approved by the attorney general's office.