Carmakers’ trade secrets exposed by data breach
TEN years’ worth of data belonging to some of the world’s biggest carmakers including Toyota, Volkswagen, Fiat and Chrysler has been accidentally made available online, it has emerged.
Sensitive documents from over a hundred manufacturing companies – including confidential trade secrets – were exposed on a server owned by Level One Robotics, a specialist engineering company, according to Upguard, an Australian cybersecurity group that spotted the breach. Among the companies with data exposed are clients of Level One including divisions of VW, Chrysler, Toyota, General Motors, Tesla and Thyssenkrupp.
According to Upguard, the 157 gigabytes of data available online include over a decade of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms for employees, contracts and non-disclosure agreements.
The data was all available through rsync, software that allows companies to back up large data sets. The team first discovered the data breach earlier this month, prompting Level One, a Canadian company that supplies many of the world’s top car manufacturers, to shut down access.
Chris Vickery, the researcher who found the data, told The New York Times: “That was a big red flag. If you see NDAS, you know right away that you’ve found something that’s not supposed to be publicly available.”
Naaman Hard, a security engineer at Digital Guardian, a data loss prevention software company, said: “Companies must learn from incidents like this and apply the right methods of protection to their IT environment, with the ability to apply security at the data-level being the most critical.”
According to Upguard, the permission settings on the rsync server indicates that the server was “writable”, meaning that someone could not just access information but alter it.
Milan Gasko, chief executive of Level One Robotics, said his company was made aware of a claim from Upguard about an incident involving access to a single backup drive, which contained various data. “As soon as we were informed, we took the backup drive offline, which immediately eliminated the access. We have hired forensic experts to guide an investigation into Upguard’s claims, identify what data may have been accessible … and to strengthen our systems,” he said.
“We regret any concern this has caused customers and staff, and believe we have taken all appropriate actions to rectify the situation.”