Unsecured server exposes 157 GB of highly sensitive data from Tesla, Toyota and more

A security researcher discovered 157 GB of highly sensitive data from more than 100 companies, including automakers such as Ford, GM, Tesla, Toyota, Chrysler, Fiat, and Volkswagen, exposed on the web. The data stored on the publicly exposed backup server belonging to the Canadian company Level One Robotics and Controls required not even so much as a password to access.

UpGuard security researcher Chris Vickery, who discovered the unsecured data, classified the exposed data into three categories: customer, employee and Level One data. UpGuard said the publicly accessible data included nearly 47,000 files dealing with 10 years of assembly line schematics, factory floor plans and layouts, as well as robotic configurations, animations and documentation.

The enormous breach also included VPN access request forms, nondisclosure agreements (NDAs), ID badge request forms, and scans of some Level One employees’ driver’s licenses and passports, which would be handy for social engineering, fraud, and identity theft. Level One business data ranging from contracts to account and routing numbers and even SWIFT international bank codes were also exposed.

Documents exposed via rsync file transfer protocol

The unsecured trade secrets and corporate documents had been exposed via the file transfer protocol rsync. UpGuard wrote, “The rsync server was not restricted by IP or user, and the data set was downloadable to any rsync client that connected to the rsync port. The sheer amount of sensitive data and the number of affected businesses illustrate how third- and fourth-party supply chain cyber risk can affect even the largest companies. The automation and digitization of manufacturing has transformed the industry, but it has also created a new area of concern for industries, and one that must be taken seriously for organizations to thrive in a healthy digital ecosystem.”

Not only could anyone connect to Level One’s rsync server, but it was also “publicly writable, meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions, or embedding malware.”

The exposed rsync server was discovered on July 1. Attempts to contact Level One started on July 5, but contact wasn’t established until July 9. The exposure was closed within a day, by July 10.

Level One is reportedly investigating the “alleged data exposure.” The company’s chief executive, Milan Gasko, told The New York Times that is was “extremely unlikely” that anyone else besides Vickery had viewed the data, but he declined to comment on whether there were tools in place to detect unauthorized access.

The automotive giants affected by the breach also would not comment.

“The supply chain has become the weakest part of enterprise data privacy,” UpGuard concluded.  

Companies that spend many millions a year on cybersecurity can still be exposed by a vendor who handles their data. The complexity of the supply chain involves a sprawl of third and fourth-parties who handle corporate data sets. All of these vendors have their own processes and systems that determine how well the data is protected. Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident. If this security is not built into the processes themselves, there will always be misconfigurations that slip through and lead to data exposure. They must also have an exposure response plan, so that when they are affected, they can act quickly to remediate, as Level One did in this case. Level One Robotics works with clients and other vendors, as necessitated by the robotics manufacturing and sales process. While such an ecosystem can make for great efficiencies and scale, it also opens the entire chain up to risk when a single link faces an exposure.