Level One Robotics has leaked 157 Gigabytes of customer data, including sensitive documents, to the web. The data belongs to more than 100 manufacturing companies. Those affected include Tesla, BM. ThyssenKrupp, VM and Ford.
The leak was discovered by security vendor UpGuard. In its report detailing the breach it states: “The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information”.
UpGuard also reported that the breach included personal data belonging to UpGuard employees. It said: “Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.”
Luckily for the company, it is based in Canada where mandatory breach notification doesn’t come into force until November 1, 2018. However, if any of the data affects US employees, it will have to disclose the details to the relevant state and federal authorities. Enterprise Times sent an email to the company asking for an interview but so far, there has been no response.
How and what did Level One expose?
As with many data breaches on the web, this is a case of misconfiguration of technology. The company was using the rsync protocol to transfer its backups to the web. UpGuard has warned customers about the risks of rsync in a blog post.
There are two issues here. Level One did not restrict the IP address range of who could connect to the rsync server. This means that they left it open to any device on the Internet. The second is that there was no user authentication. Again, this meant that anyone could connect and access the data. A properly configured rsync server would use both of these measures to make it harder to gain access to the data.
UpGuard has broken the data down into three categories. These are:
- Customer data – Assembly line and factory schematics; non-disclosure agreements; robotic configurations, specifications, animations, and blueprints; ID badge and VPN access request forms; customer contact information
- Employee data – Driver’s license and passport scans, ID photos (likely for badges); employee names and ID numbers
- Level One data – Contracts, invoices, price negotiations and scopes of work, customer agreements
The blog post detailing the breach goes into more details of this data including a list of customers and examples of the different documents found.
UpGuard also reports that this was not just about data theft. The server also allowed anyone with access to write data. This means that any attacker could have changed any of the documents at any time.
Another breach by a third-party supplier
The risk footprint for many organisations is growing faster than their ability to assess it. Outsourcing has always existed but previously it was restricted to small parts of the enterprise. Today, everything from cyber security to IT support, manufacturing to engineering and support services is outsourced. This means that the main board needs to do a better risk assessment of its suppliers.
Part of the challenge here is that few organisations know anything about the sub-contractors used by the companies they have outsourced to. This makes it difficult to assess risk. Processes that do continuous assessment of outsourcing risk have to be put in place. Cyber Insurance also needs to be part of that process to deal with the cost of a breach.
Organisations also need to think about what data is being moved offsite. That data has to be classified and then encrypted. This does not stop a breach from a third-party but it does limit the impact. It is possible that the third-party needs access to the encryption keys because they are processing the data. In this case, there has to be a process to manage and change the keys regularly.
It appears that none of the above was happening in this case. There were files dealing with physical and digital access to organisations. Add to this the personal data and it doesn’t take much to craft highly effective spear phishing attacks to steal security credentials.
What does this mean
If you not are monitoring your third-party suppliers then you are heading for a data breach. This is not a case of maybe but a case of when. Level One was not a third, fourth or fifth tier sub-contractor, they were a primary partner for many of these manufacturing companies. They designed, built and maintained robots and other equipment and that means that they had privileged access to systems and sites.
Given its customer list it is reasonable to expect that Level One took all the steps necessary to protect data. What we now know is that it failed. That failure has exposed highly sensitive personal data of its employees, its company data and that of its customers.
To its credit, once it engaged with UpGuard, its incident response was fast, much faster than many companies. How it now deals with the investigation and what it does to prevent a repeat will be watched very closely by its customers.