A security error by a third-party supplier has left over 100 manufacturing firms including several big-name carmakers red-faced after sensitive documents were exposed.
Over 150GB of data was left on a publicly accessible server by Level One Robotics, a supplier to Tier 1 automotive firms including VW, Chrysler, Ford, Toyota, GM and Tesla, and German manufacturing giant ThyssenKrupp.
The infrastructure found to be responsible was an exposed rsync server unrestricted by IP or user, with the data located therein downloadable to any rsync client that connected to the rsync port, according to Upguard.
“The 157GBs of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information,” the security vendor explained.
“Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.”
Even worse, the rsync server was publicly writable at the time the privacy snafu was discovered, meaning a malicious outsider could have altered the documents stored there or even uploaded malware.
Level One was praised for reacting quickly to the incident once notified by Upguard. However, organizations were urged to do more to secure their supply chains.
“Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident,” said Upguard.
“If this security is not built into the processes themselves, there will always be misconfigurations that slip through and lead to data exposure. They must also have an exposure response plan, so that when they are affected, they can act quickly to remediate, as Level One did in this case.”