A publicly accessible server belonging to robotics vendor Level One Robotics and Controls, Inc. contained sensitive documents connected to more than one hundred manufacturing companies.
Established in 2000, the engineering service provider offers automation process and assembly for OEM’s, Tier 1 automotive suppliers, and end users, delivering services such as project management, design, integration, debug, and training.
The exposed server was discovered by UpGuard Cyber Risk team earlier this month. It contained 157 gigabytes of data, including documents, schematics, and other information belonging to the provider’s customers and employees.
The exposed data included “over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements,” the security firm reveals.
Specifications and use of the machines, as well as animations of the robots at work, customer contact details, and ID badge request forms were also found on the server.
Level One customers impacted by the data exposure include divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.
The server also contained data belonging to organization’s employees, such as scans of driver’s licenses and passports and other identification. Level One business data was also exposed, including invoices, prices, contracts, typical business documents, and bank account details (including account and routing numbers, and SWIFT codes).
“The sheer amount of sensitive data and the number of affected businesses illustrate how third and fourth-party supply chain cyber risk can affect even the largest companies,” the security firm notes.
UpGuard says the data was exposed via rsync, the file transfer protocol commonly used for large data transfers. The researchers discovered that access to the server wasn’t restricted by IP or user and that the data was downloadable to any rsync client that connected to the rsync port.
“This is the same type of administrative error we continue to see over and over again both on-premise as well as in the cloud. Until organizations wholly operationalize security into their development lifecycle, we will likely continue to see similar data exposure from non-malicious insiders,” Matt Chiodi
, VP of Cloud Security at RedLock, told SecurityWeek in an emailed commentary.
Discovered on July 1, 2018, the exposed rsync server was established to belong to Level One several days later. The company was successfully informed on the issue on July 9 and closed the exposure by the next day.
“The fact that this kind of breached happened and data from so many big players was involved goes to show that anyone can be a victim if third parties are not continuously vetted. It is no longer enough for companies to maintain trust through a one-time or annual audit. Big players should demand a transparent and ongoing demonstration of security controls in action,” James Lerud, head of the Behavioral Research Team at Verodin, said in an emailed commentary.
Related: 200 Million Sets of Japanese PII Emerge on Underground Forums
Related: Thousands of Mobile Apps Leak Data from Firebase Databases
