Security researchers have discovered sensitive data from over 100 manufacturing companies left exposed online for anyone to access.
The data leak was due to the sloppy security of supplier Level One Robotics, and has left the likes of Chrysler, Ford, GM, Tesla, Toyota, and VW exposed, as well as German manufacturing giant ThyssenKrupp.
What kind of exposed data are we talking about?
“The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information.”
“Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.”
It’s easy to imagine how such information could be used by criminals to augment their attempts to gain access to well-known firms through social engineering, gather confidential information, or simply assist them in identity theft and other fraud against individuals.
UpGuard says that the information was exposed via rsync, a tool commonly used to backup large amounts of data. Unfortunately, the rsync server was left exposed - with no restriction as to who could access it via IP address or username/password - so all of the data could be easily downloaded by anybody who connected their rsync client to the rsync port on the publicly accessible server.
To make matters worse, the rsync server was configured to be publicly writable - meaning that a malicious hacker could have altered documents or planted malware if they wished.
Oh dear oh dear oh dear.
What we’re witnessing here is a classic supply-chain problem. Millions is spent by large companies on securing their systems and data from hackers, but the risks posed by third-party suppliers is often overlooked. Suppliers may have access to some of your company’s sensitive data, or even be able to log into your network with their own credentials.
Can you be confident that your suppliers are taking security as seriously as you do? Remember it’s not just your company’s data which is put at risk by the lax security of a supplier, it’s your reputation too.
Level One closed the security hole one day after being informed by UpGuard, but we can only guess how long the data was put at risk, and hope that no-one other than well-intentioned security researchers stumbled across the security lapse.
Hard questions will no doubt be asked by Level One’s customers about how on earth it could have allowed sensitive data to be exposed so recklessly in the first place, and what measures it will put in place to ensure that similar security failures don’t happen in future.
For more information about this incident, be sure to read the blog post from UpGuard.