But this month, a security researcher came across tens of thousands of sensitive corporate documents — including many from nearly all of the largest auto manufacturers — on the open internet, unprotected. The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls.
Among the documents were detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information.
“That was a big red flag,” said Chris Vickery, the researcher who found the data. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
It was unclear whether anyone else had seen or downloaded the unguarded data, which included some personal information, such as scanned driver’s licenses and passports, on Level One employees but otherwise appeared to be confined to corporate secrets. Vickery alerted the company last week, and the exposed information was taken offline within a day.
But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.
Many of the worst recent data breaches began with a vendor’s mistake. In 2013, thieves infiltrated Target’s payment terminals and stole credit and debit card information from 40 million customers. The attackers got in by hacking one of Target’s heating and ventilation contractors, then using information stolen from that business to gain access to Target’s systems.
Just last month, Ticketmaster revealed that payment information from thousands of customers had recently been stolen in a breach it attributed to flawed software from Inbenta, a company running customer support chatbots on TicketMaster’s website.
“It’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk,” said Larry Ponemon, the research firm’s founder.
The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.
Generally, automakers’ top security priority is vehicle risks, she said, such as vulnerabilities that could be used to attack a car’s critical components. Leaked corporate documents aren’t quite as fraught — “I doubt anyone is going to die over it,” Francy said — but the exposure of such information is still worrying.
“No one wants their data outside of their own company,” she said. “Anything that showcases how they manufacture is proprietary and competitive.”
He’s a rarity in the industry: a security sleuth who doesn’t hack. Instead, he searches communication ports and the internet’s hive of connected devices to find information inadvertently made public. His discoveries have included medical records, airport security files, hotel bookings, a terrorist screening database and 87 million Mexican voter registration records. Once the sensitive information has been secured, he publicly discloses that the data had been revealed.
Vickery found Level One’s data through an exposed backup server. It required no password or special access permissions, he said. Anyone who connected could download the material, which totaled at least 157 gigabytes and contained nearly 47,000 files filled with factory records and diagrams from companies including Fiat Chrysler, Ford, General Motors, Tesla, Toyota and Volkswagen.
Milan Gasko, Level One’s chief executive, declined to discuss the details of the exposed information.
Gasko said it was “extremely unlikely” that the data had been viewed by any outside parties other than Vickery, but he did not address questions about whether Level One has tools in place to detect unauthorized access.
Level One was founded in 2000 in Windsor, Ontario, and opened an American office six years later outside Detroit. The company provides engineering services, with a focus on robotics and automation, to manufacturing companies, according to its website.
Officials from General Motors, Toyota and Volkswagen declined to comment on the data exposure. Fiat Chrysler, Ford and Tesla did not respond to requests for comment.
Researchers like Vickery often face skepticism, and criticism, from the companies that they notify about exposed data — no business likes to get a phone call telling it that it has revealed sensitive information. But publicizing data breaches is an effective way to get other companies to combat them, he said.
“Nothing gets better in silence, as far as cybersecurity goes,” Vickery said. “Human nature is to try to sweep things under the rug. That hurts our society. We need better data security, and nothing improves unless people realize there’s a problem.”
To read the full story, Subscribe Now at just Rs 249 a month
Already a subscriber? Log in
Subscribe To BS Premium
₹249
Renews automatically
₹1699₹1999
Opt for auto renewal and save Rs. 300 Renews automatically
₹1999
What you get on BS Premium?
- Unlock 30+ premium stories daily hand-picked by our editors, across devices on browser and app.
- Pick your 5 favourite companies, get a daily email with all news updates on them.
- Full access to our intuitive epaper - clip, save, share articles from any device; newspaper archives from 2006.
- Preferential invites to Business Standard events.
- Curated newsletters on markets, personal finance, policy & politics, start-ups, technology, and more.
Need More Information - write to us at assist@bsmail.in