Concern over data breaches has taken an upward lurch in the few days since a security researcher discovered tens of thousands of sensitive corporate documents, including trade secrets from almost all the major automakers, unprotected on the open internet.
Normally closely-guarded information from more than 100 manufacturing companies, including General Motors, Tesla, Ford and Fiat Chrysler, were discovered by Chris VickeryOpens a new window , director of security services company UpGuard Cyber Risk, who found factory blueprints, specifications and configurations of robotics products, client contracts and, ironically, non-disclosure agreements.
“That was a big red flag,†Vickery says. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.â€
Third Party Vulnerability
All companies exposed in the data breach had interacted with Level One Robotics and Controls, which uploaded the documents to a file transfer protocol server that was inadequately secured. Once alerted, the Canadian robotics vendor removed the exposed information within a day, but the discovery underlines the cyber-risk involved in using third-party suppliers and contractors.
Upguard says: “The supply chain has become the weakest part of enterprise data privacy. Companies that spend many millions a year on cyber-security can still be exposed by a vendor who handles their data.â€
The information was exposed via rsync, a common file transfer protocol used to mirror or back up large data sets. Access to the server in question was not restricted by password or special access permissions, with the data (about 157 gigabytes in volume, spread over 47,000 files) freely available for download by any rsync client connected to the port.
It is unclear whether anyone else had exploited access to the information, although Level One CEO Milan Gasko believes it is “extremely unlikely†that it had been viewed by anyone other than Vickery.
Standardized Access Deployment
UpGuard stresses the need for methodized access: “Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident.†It says rsync instances should be protected by IP passwords and clients must be authenticated before being able to receive the data set.
To a security researcher like Vickery, who routinely scours the web hunting for unguarded data caches, publicizing data breaches is the only way to push other companies into taking preventative action. Vickery has previously tracked down exposed caches of around 191 million US and 93 million Mexican voter records and details of around 13 million MacKeeper users.
This is not the first time a vendor’s mistake has led to a data breach. In 2013, US retailer Target was ordered to pay $18.5 million to 47 US states as compensation for the theft of customer data via its payment system. Hackers stole information from a heating and ventilation contractor that enabled them to access Target’s payment terminals and gather the credit and debit card information of 40 million customers.
Malicious Software
Home Depot also had to pay $25 million in compensation for a breach linked to a vendor. And in June this year, Ticketmaster in the UK announced a data breach following the identification of malicious software on a customer support product hosted by Inbenta Technologies, a third-party supplier.
A study last year by risk management provider Opus and the Ponemon Institute on data risk in the third-party ecosystem found that 56% of companies surveyed had experienced a data breach caused by a third party. This represented a 7% rise on the previous year, with US companies on average paying $7.35 million per breach in fines, remediation costs and loss of customers. The report found companies also lack visibility into the security practises of third parties with which they continue to share data.
Having become increasingly concerned about cyber-loopholes along the supply chain, investment manager Blackstone last year backed the creation of a third-party global cyber risk exchange that enables companies to assess vendors in the same way banks rely on rating agencies to assess the creditworthiness of bond issuers.
Protection via Blockchain
Last week, a GE subsidiary invested in a funding round by Xage, a cyber-security start-up that uses blockchain technology to link industrial machines such as oil wells and smart meters securely.
The company is among a wave of start-ups responding to concerns about cyber-attacks on industrial equipment connected to the internet. The use of blockchain means any anomalies on one device can be detected and contained, preventing a hacker from gaining the access that would be available through a centralized network.
With the risks escalating, it has become imperative to secure all the links along a company’s supply chain. The apparent lack of any harmful consequences of the exposure of auto company trade secrets may have been a lucky escape, but it has set off alarm bells for the industry.
At a time when auto manufacturers and tech companies are getting closer to deploying autonomous vehicles on a mass scale, they will need to have a response to the possibility that hackers could take control of self-driving vehicles with malicious intent.