Carmakers hit with massive data breach

Keith Laing
The Detroit News

Washington — Automakers including Fiat Chrysler, Ford, General Motors, Toyota, Volkswagen and Tesla were hit with a massive data breach that exposed sensitive business information, according to an Australian security services firm now based in California. 

.Automakers including Fiat Chrysler, Ford, General Motors, Toyota, Volkswagen and Tesla were hit with a massive data breach that exposed sensitive business information on an unprotected and publicly accessible computer server owned by Level One Robotics, according to an Australian security services firm now based in California.

 

That firm, UpGuard Inc., confirmed Friday that a security researcher for the company discovered tens of thousands of sensitive documents including company manufacturing secrets on an unprotected and publicly accessible computer server. That server is owned by Level One Robotics, a Canadian engineering service with an office in Auburn Hills that specializes in automation for carmakers and parts suppliers.

Documents included factory and assembly line blueprints and schematics, robotic configurations, contracts and other information from more than 100 manufacturing companies.

The security breach was first reported Friday by the New York Times.

Ironically, dozens of non-disclosure agreements detailing the sensitivity of the exposed information were among the documents.

“That was a big red flag,” Chris Vickery, the researcher who found the data, told the Times. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.

UpGuard said in a statement that the leaked information related to the auto companies includes "assembly line and factory schematics; non-disclosure agreements; robotic configurations, specifications, animations and blueprints; ID badge and VPN access request forms; customer contact information." 

Corporate data such as contracts, invoices, price negotiations and scopes of work and customer agreements were also exposed, according to UpGuard. 

Ford, GM, and Level One did not immediately respond to a request for comment. FCA declined to comment.

UpGuard said it discovered the unsecured server on July 1. It said that after Level One learned of the problem July 9, it was closed the following day.

It is unclear whether anyone else discovered or downloaded the data.

The security services company regularly searches the Internet for exposed information and has discovered medical records, security files and other sensitive data. It then alerts companies they have a problem.

The security firm said the leaks demonstrate the risk that carmakers and other manufacturers take when they exchange sensitive information with third-party companies. 

"The supply chain has become the weakest part of enterprise data privacy," UpGuard said. "Companies that spend many millions a year on cybersecurity can still be exposed by a vendor who handles their data."
 

klaing@detroitnews.com

(202) 662-8735

Twitter: @Keith_Laing