July 23, 2018//Ellen Neveux
What do Tesla, Toyota, Fiat/Chrysler, Ford, General Motors, and Volkswagen have in common? No, it’s not that they are well-known automobile companies. It’s that they had sensitive information and trade secrets breached because of a security error from the same third-party vendor, a robotics and automation company called Level One. Having a vendor in common typically isn’t a huge deal, but everything changes if that third party leaves a significant amount of sensitive and proprietary information on the internet, unprotected and visible to anyone looking for it. Level One did just that.
This breach was first reported on July 20, 2018, by The New York Times, and originally found by the cyber-risk researcher, Chris Vickery, from UpGuard. The data—roughly 157-gigabytes and nearly 47,000 files filled with factory records and diagrams—required no password or special permissions to access. In other words, if someone knew where to look they could have access to trade secrets and other sensitive information from 100 different, and highly regulated companies.
“But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.”
Stacy Cowley, New York Times
How did the researcher actually get at all of this data? Honestly, it wasn’t too hard for him to gain access. According to Mr. Vickery, the data was exposed via rsync (a common file transfer protocol used to mirror or back up large sets of data across computer systems). Although common, there are usually protocols implemented to increase the level of security. However, this rsync file server wasn’t restricted by IP or user. That meant that anyone that connected to this specific port was able to download all of this sensitive information.
As a result, this database, containing a wealth of industry knowledge and trade secrets, was exposed to the world until found by researchers. TechCrunch reported that it’s still unclear if anyone with malicious intent accessed this data prior to being found and taken off the internet by Level One.
The exposed information contained:
Remember, not only could anyone that connected to this rsync file server access and download this material, but they could also edit it. The permission setting on this server was set as both public and “writable”, noted UpGuard. This means that if someone had access to it prior to it being found by the researcher, they could have altered the contents. The fact that this information was available and editable is terrifying, but hopefully, this incident brings more attention to these issues. For example, the founder of Ponemon Institute, Larry Ponemon, highlighted that “it’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk…” Yes, enterprises rely on vendors, but it is obvious that these relationships have tremendous risks involved and it’s finally opening the eyes of the C-level executives.
Vendor regulation matters
To the average person, schematics for the assembly line might not be anything to get excited over, but to automotive manufacturers it’s huge. These manufacturers, and any manufacturer in general, want to keep the details of production confidential and away from the public eye. Which means that someone with malicious intent would love to get their hands on it; they could sabotage plans or even sell these schematics to competitors. Faye Francy, the executive director of a trade group that focuses on cybersecurity noted that since the auto industry has a deep and complex supply chain, third-party security risk is an area of growing concern. However, hackers will attack these third parties since they know that this is usually the easiest way into an enterprises network.
What’s even more eye-opening about this whole situation is that this dataset contained quite a few nondisclosure agreements where clients are expecting an increased level of security and confidentiality that Level One did not exhibit. Instead, the third-party vendor exposed a ton of highly sensitive information to anyone who attempted to access it. Because of this, it wouldn’t be surprising if Level One’s reputation was harmed: not only did they expose all of the sensitive information it had agreed to keep secret, but they also leaked their employee’s personal information that could lead to identity theft and other fraud.
Takeaways: Vendors are a liability
The New York Times said: “many of the worst recent data breaches began with a vendor’s mistake.” Consider that we are barely a week out from the recent Ticketmaster breach, and already the cybersecurity world has had to change gears to focus on another breach that stemmed from an unchecked third party. With the number of data breaches that occur because of third parties on the rise, it’s time to reflect on why it is happening and work to prevent it. Frequently, enterprises spend a significant amount of money on internal cybersecurity efforts, but often neglect third-party security. Regularly the supply chain is noted as the weakest part of an enterprise because of the relaxed, or non-existent, security, and hackers will continue to gain access to enterprise networks by using this path. One of the easiest and best ways to combat these looming external threats is with a solution built around secure remote access software.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.