The cyber security firm UpGuard has discovered sensitive data of hundreds of automotive companies including Tesla, Ford, Fiat, GM, Volkswagen etc, leaked on the internet. The shocking part is that the data is made available to the public due to a breach carried out on the Level One Robotics Server.
Around 47,000 documents and 157 GBs of data is available on an exposed server which can be accessed publicly. This is a huge concern for everyone and the announcement has also led to a wave of shock in the stock market where companies like Tesla suffered a huge blow.
Automotive Companies Breached: What Does The Exposed Data Include?
The data contains highly sensitive information of some of the biggest companies. Scanned passports, bank data, invoices, contracts, driver licenses, agreements, schematics, designs and even trade secrets are out in the open.
The biggest problem is that the leaked data is out in the open for anyone to see.
Automotive Companies Breached: How Was The Hack Implemented?
According to UpGuard, the hack was implemented using a file transfer protocol system called Rsync. This protocol is pretty legacy and used primarily to backup large amounts data and any client that’s connected to the Rsync port can access Rsync and download data.
More details on the leak are not yet available however authorities are working hard to minimize the damage, many experts say that it might be too late already.
Automotive Companies Breached: The Bottomline
So far nothing has been brought to light regarding the hack. A total of 157 GBs of data was leaked, however nobody is sure yet if it was due to a hack or an inside job from Level One Robotics. Some even say that it might be due to a configuration error. Nonetheless, investigations are underway and data is gradually been secured.
LHN Have been provided with a number of unique insights from other experts
Luke Brown, VP EMEA at WinMagic
“If I had a dollar for every preventable incident of data compromise, I’d be a very wealthy man. Companies have such a wide variety of infrastructure spanning everything from endpoints, data centres and cloud, meaning it is not easy to ensure that your deeply sensitive, and highly valuable, information doesn’t fall into the wrong hands. What is needed is an end-to-end data protection platform that works across all infrastructures. More importantly, it must encrypt the data, and ensure it stays encrypted until needed.
For organisations operating at the forefront of automotive innovation, protecting their intellectual property must the number one priority. Should it fall into the wrong hands, it could literally put the brakes on the company’s survival. It’s not clear from this incident who viewed the data before it got taken off-line. But with an encryption platform, it doesn’t matter if your data gets breached – and it will – because the sensitive information is locked up.”
Rich Campagna, CMO at Bitglass
“It doesn’t take much for outsiders – malicious or not – to find unsecured data stores such as the one that belonged to Level One Robotics. Where data is publicly accessible because of misconfiguration, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. Unfortunately, it seems Level One has no way to tell whether anyone got their hands on this data prior to UpGuard discovering it.
It is likely that this misconfiguration resulted from a well-meaning employee with excessive privilege and little security oversight. It could also be argued that this misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
Naaman Hart, Managed Services Security Engineer at Digital Guardian
“At the core of this incident is a fundamental misunderstanding of securing internet facing systems. There were no ‘Access Control Lists’ to limit who connected to RSYNC via IP and there were no Username/Password requirements either. Without these basic security measures finding the server was a free-for-all for anyone with an RSYNC client that could scan the internet for the open port.
This is a great example of the need for “data aware” security technologies. If Level One had data-centric security in place, it could have prevented its partners’ sensitive data from being altered, deleted, or in this case copied without prior permission. Companies must learn from incidents like this and apply the right methods of protection to their IT environment, with the ability to apply security at the data-level being the most critical.”