The IT security researchers at cyber resilience firm Upguard discovered a massive trove of highly sensitive data publically available to be accessed by anyone. The data belonged to hundreds of automotive giants including Tesla, Ford, Toyota, GM, Fiat, ThyssenKrupp, and Volkswagen – Thanks to a publically exposed server owned by Level One Robotics, a Canadian firm providing industrial automation services.
The data was discovered on July 1st, 2018, when 157 gigabytes of files (47,000 documents) were available on a server without any security.
The analysis of the exposed data revealed that it includes trade secrets and other sensitive data from the automotive giants including scanned copies of passports, driver licenses, invoices, banking data, contracts, non-disclosure agreements, robotic configurations and 10 years of assembly line schematics etc.
According to Upguard’s blog post, “The data was exposed via rsync, a common file transfer protocol used to mirror or backup large data sets. The rsync server was not restricted by IP or user, and the data set was downloadable to any rsync client that connected to the rsync port.”
Level One Robotics was informed about the breach on July 9th and at the time of publishing this article; the files were taken offline. However, it is unclear if the data was accessed by someone else other than Upguard.
In case it happened, it can be a disaster for the companies since automotive companies prefer to keep their plans secret to avoid competitor from accessing them.
“Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent, and ramifications of this alleged data exposure,” Level One chief executive Milan Gasko told The New York Times. “In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
There was no comment from the automotive firms affected by the breach.