A security researcher by the name of Chris Vickery, who works for the security firm Upguard, came across tens of thousands of sensitive corporate documents from a number of major automakers on the open internet, unprotected.
Upguard is an Australian cyber-resilience startup company founded by Mike Baukes and Alan Sharp-Paul, presently based in Mountain View, California. Their Cyber Resilience platform determines a company’s cyber-security risk factors by scanning both internal and external computer systems.
The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls, in Windsor, Ontario.
According to the Level One Robotics and Controls website, they are an engineering service provider specialized in automation process and assembly for OEM’s, Tier 1 automotive suppliers as well as end users. Their services range from project management to design, integration, debug and training services. The company started in 2000, and by 2006, they had expanded to include an office in metro Detroit.
Nearly 47,000 files of factory records from Tesla Inc., Toyota Motor Corp., and Volkswagen, along with Fiat Chrysler Automobiles, Ford Motor Co., and General Motors were found, including files that exposed several of the companies’ trade secrets.
“Automotive manufacturers — and manufacturers in general — usually want to keep the details of how they make their products confidential,” Upguard said in a statement that was first reported in the New York Times.
“Factory layouts, automation efforts, and robot specifications ultimately determine the output potential for the company. Malicious actors could potentially sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage.” There were also copies of driver’s licenses and passports.
Among the documents that were exposed by the leak included digital copies of contracts, invoices, and work plans; detailed factory blueprints; and nondisclosure agreements. The Nondisclosure agreements “was a big red flag,” Vickery told the Times. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
Level One Robotics was contacted about the data leak last week and took the data offline within a day, But as Ford Authority notes, it’s uncertain whether anyone besides Vickery and Level One employees viewed or downloaded any of the documents.
“Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent, and ramifications of this alleged data exposure,” says Level One President and CEO Milan Gasko. “In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
The thing is this ‘ Vickery found the information through a backup server, one that did not require a password. The data totaled some 157 gigabytes, spread between nearly 47k files. The auto industry’s supply chain is among the most vulnerable in the leak, especially with regard to vehicle risks and other security concerns.