Once again, an attack on a third party has exposed confidential information from big brands – this time, Toyota, Ford, General Motors, Volkswagen, Fiat Chrysler, and Tesla are among those supposedly impacted.
Breaches at Typeform and Inbenta which compromised Ticketmaster, Monzo, Fortnum & Mason and more have demonstrated clearly that companies will be considered accountable – at least by the media – for their suppliers’ security failings.
This time, the company breached was Level One Robotics, a small Canadian firm which provides engineering services, specialising in robotics and automation, to manufacturing companies.
If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.
– Chris Vickery, Director of Cyber Risk Research, UpGuard
Security researcher Chris Vickery, director of cyber risk research at UpGuard, says that the company had left almost 47,000 files totalling around 157GB of sensitive corporate data exposed online, including details on over a hundred companies with which it had done business.
According to UpGuard, the exposed data included over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, banking details for Level One Robotics, VPN access request forms, personal information (including drivers’ licenses) on Level One Robotics employees, and non-disclosure agreements detailing the sensitivity of the data which was exposed.
“That was a big red flag,” said Vickery. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
The exposed data was discovered on July 1, backed up on an rsync server which could be accessed without entering a password or meeting any conditions (such as a particular IP address), meaning that anyone who connected to it could download the material. This would require the would-be thief to have an rsync client and know – or find by chance – the server’s IP address.
In addition to the data having been exposed, UpGuard also noted that the server was publicly writable, meaning that the files could have been altered.
After being made aware of the vulnerable server, Level One Robotics was able to prevent further unauthorised access within the day.
“Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent and ramifications of this alleged data exposure,” said Level One Robotics CEO Milan Gasko. “In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
He said it was “extremely unlikely” that the data had been accessed by anyone other than UpGuard’s Cyber Risk team.
“We’ve found no information that would indicate Ford is impacted,” said a Ford spokesperson, taking a similar stance. “This supplier does not handle confidential information for the joint venture to whom they are contracted and they have not alerted us to any issue.”