Tesla, VW, and dozens of other manufacturers had their sensitive information exposed due to a weak security link in their supply chains.
The exposure occurred at industrial automation provider Level One Robotics via an inadequately secured rsync file transfer protocol server, according to researchers at UpGuard Cyber Risk.
The researchers found the server wasn't restricted meaning clients connected to it could access the data and with the right knowledge of where trade secrets were stored could pilfer them.
In addition, “the permissions set on the rsync server at the time of the discovery indicated that the server was publicly writable, meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions or embedding malware,” a situation, UpGuard researchers wrote in a blog post, that poses a “significant risk.”
Researchers couldn't determine whether miscreants had accessed the 157 GB of exposed data gathered over a 10-year span that included assembly line schematics, non-disclosure agreements and VPN request forms as well as bank account and ID details on Level One employees.
“Malicious actors could potentially sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage,” UpGuard said, pointing out that “the presence of so many strongly worded NDAs within the data set itself speaks to the level of confidentiality expected by these partners when handling this kind of information.”
More troubling, the UpGuard team wrote, were “the files dealing with gaining access, both digital and physical, too many client companies.”
The dataset didn't contain plaintext passwords, they said, but “the combination of the official identification and VPN credential request forms, the contact point for many of Level One's customers, and the personal information and photographs of Level One employees could make” it easier for attackers to more easily socially engineer their way into guarded facilities.
The findings are further evidence that “the supply chain has become the weakest part of enterprise data privacy,” said UpGuard researchers. “The complexity of the supply chain involves a sprawl of third and fourth-parties who handle corporate data sets” and have their own sets of processes and systems to protect data.
If an organization doesn't “understand which third parties with access to [its] network present the greatest risk to [its] data, [its] digital ecosystem becomes a ticking time bomb just waiting to be exploited” as it did this case, said Fred Kneip, CEO, CyberGRX.
“It's just one vulnerability in one of thousands of suppliers, but the impact could be enormous,” said Kneip. “The ability to understand which third parties have weak controls that could put your data at risk is a critical step toward understanding your true risk exposure.”
James Lerud, head of the Behavioral Research Team at Verodin, the security instrumentation leader, said: Noting that “Level One Robotics and Controls was trusted by so many companies. “The fact that this kind of breached happened and data from so many big players was involved goes to show that anyone can be a victim if third parties are not continuously vetted,” said James Lerud, head of the Behavioral Research Team at Verodin, pointing to how well respected and trusted Level One is.
“It is no longer enough for companies to maintain trust through a one-time or annual audit,” he said. “Big players should demand a transparent and ongoing demonstration of security controls in action.”
UpGuard praised Level One Robotics for having an exposure-response plan that allowed it to “act quickly to remediate” and encouraged all organizations and vendors to adopt “standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident.”