Cyber Security firm Upguard, which specializes in finding unprotected data on the web discovered a treasure trove of trade secrets from VW, Tesla, Toyota and perhaps many more manufacturers just sitting there in the open for anyone to download.
Upguard discovered the unsecured data on servers maintained by Level One Robotics and Controls on July 1st. The data, which includes highly-sensitive information such as assembly line schematics, robotics configurations may seem unimportant to the layperson, but data on production methods is considered of the most important trade secrets in the industry.
In an ironic twist, the extremely strict Non Disclosure Agreements that accompany this important data was the red flag that led Upguard to discover the breech. The NDA’s were on the same open, unsecured, publicly accessible server as the production data. “That was a big red flag,” Chris Vickery of Upguard said, “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
The news gets worse; not only could anyone download the reports and schematics, the server permissions allowed anyone to write to the server as well. What this means is someone could have downloaded the documents, made changes, then uploaded them back to the server. This leaves the owners of the data open to serious repercussions including changes to routing numbers on direct deposit forms or malware hidden in their files.
While the leak poses a serious financial threat to the owners of the compromised data, there is no apparent safety consideration. Faye Francy, executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity said, “I doubt anyone is going to die over it, but the exposure of such information is still worrying. No one wants their data outside of their own company. Anything that showcases how they manufacture is proprietary and competitive.”
Level One Robotics and Controls had the hole patched by July 10th and is conducting an internal investigation to determine how and why these sensitive files were left out in the open in the first place. Representatives from Level One declined to comment.