Root Cause Analysis

Version – 1.1

Ticket Date: 11th Mar’24 Ticket No: SSM 1675

Instance Date: 02nd Apr’24 Hostname: SHANB6847

Incident / Problem Description:

Associate shared the AD admin credentials to the client IT team which is security breach as per Data security

Initial Observations:

Issue Description:

Client IT uses Bomgar remote application to remote the users PC to check the login access for client EMR system so

required admin credentials for the same. Sharecare IT assistance needed in getting the admin credentials.

Case History: (timeline as per ticketing tool)

11-03-2024 12:05 PM – User Maria Bernal created the ticket.

11-03-2024 12:16 PM – Ticket assigned to Snigdha from unassigned to herself.

11-03-2024 12:37 PM – Snigdha added comment on ticket that Texted user on teams and waiting for response and

changed

Ticket status to “waiting for customer”.

12-03-2024 03:05 PM – Snigdha made a note that Maria informed she will get back to them when her client IT team

responding.

13-03-2024 03:30 PM – Snigdha added note second time with same information as client IT team not responding to Maria

From 14-03-2024 until 15-03-2024 – 2 working days, No follow up done on the ticket by any SD associates.

18-03-2024 10:55 AM – Snigdha added note third time with same information as client IT team not responding to Maria

From 19-03-2024 until 22-03-2024 – 4 working days, No follow up done on the ticket by any SD associates.

24-03-2024 11:53 PM – Snigdha added note fourth time with same information as client IT team not responding to Maria

From 25-03-2024 until 26-03-2024 – 2 working days, No follow up done on the ticket by any SD associates.

28-03-2024 07:18 AM – Snigdha added comment on ticket that sent first follow up e-mail to user.

29-03-2024 02:47 PM – Huzair added a note that he reached user on teams requesting to schedule the availability of client

IT

However, user informed that she contacted client IT team and still no response, so she will try

again.

01-04-2024 06:58 PM – Mayank updated status from Single user: unable to work to 3-5 users: Work performance impacted.

02-04-2024 12:58 AM – Mayank added an internal note that he contacted user in group call with client IT and provided the

Apr 2024 Thakur Ghatwak Sanjay Lal Sai Prabha Pendem Kalyan Bharath
Issued month Prepared By Checked By Issued By
Page 1 of 3
 Root Cause Analysis
Version – 1.1

Admin username & password to access the client software. User informed that she needs to check

with client IT for other users’ access. Need to provide admin rights for other users as well.

03-04-2024 10:20 AM – The status of the ticket is in “waiting on customer”.

Observations:

Client IT needs to remote into the user PC to fix the login issue with clients EMR system. They required elevated access in
user system hence needed AD admin credentials for the same. Hence needed the Sharecare IT team’s assistance in
getting the elevated access. Agent Snigdha tried to connect with user on teams but as there was no response from user so
commented on ticket multiple times. Sent follow-up emails to user twice on 12 th Mar and 13th Mar 2024. There was no
response from user so sent a first follow-up email again to user on 28 th Mar 2024. Later Huzair followed-up on the ticket by
reaching the user through teams to know if they can schedule a time with client IT availability, yet user informed they are
not so responsive so she will try again. Then Mayank changed the impact status of the ticket on April 1 to 3-5 users: Work
performance impacted.
On April 2 2024 agent Mayank contacted user in group call with client IT and provided admin username & password to the
Maria on MS Teams Chat & asked her to use them to elevate the access in system for the client software to run. User
informed that she needs to check with client IT for other users’ access. Hence, conversation stopped there, Mayank missed
out documenting the part that he shared his own AD admin credentials to the end-user on an MS Teams group chat and
Maria has sent an email to the security ops team mentioning the incident with screenshots of the conversation specifying
the credential sharing part. This is a clear miss from the associate end with possible security breach.

Error category: Valid Escalation

Associate shared the admin rights to client IT team that is security breach as per Data security guidelines.

Immediate Actions taken:

 It has been confirmed that, the security team has reset the associate AD password.
 SD Associate - Mayank has been removed from production with immediate effect until investigation is completed.
 Immediate reiteration session was conducted for all the associates to ensure no further breaches.

Past History:
Associate was identified multiple times with documentation issues & highlighted the same in feedback sessions.

Root Cause Analysis:

Category of Root Cause SD Admin level credentials shared to End user via teams chat

SD agent “Mayank Chhetri” provided employee level AD admin username & password to the end user without prior approval
or any valid justification & not documented the same in the ticket.

Recommendations:

Action Type Description Action Owner Target Date Completion Date Status

Apr 2024 Thakur Ghatwak Sanjay Lal Sai Prabha Pendem Kalyan Bharath
Issued month Prepared By Checked By Issued By
Page 2 of 3
 Root Cause Analysis
Version – 1.1

Associate AD credentials were reset

Corrective
by Security team & he was taken out Arka Mukherjee - 03-Apr-2024 Completed
Action
of Production until further discussions

Refreshers sensitizing the Security

Preventive threats, Gemba walk activity, Ramya, Zoeb &
05-Apr-2024 WIP
Action Cybersecurity refresher with Q&A Santosh
session etc.,
Note: Action Type (Correction/ Corrective Action/ Preventive Action)

Apr 2024 Thakur Ghatwak Sanjay Lal Sai Prabha Pendem Kalyan Bharath
Issued month Prepared By Checked By Issued By
Page 3 of 3