A data breach at a leading Canadian robotics company has exposed the trade secrets of a range of leading automakers and Tesla Inc. in seemingly yet-another case of misconfigured storage.

The breach was discovered by security researchers at UpGuard Inc., which announced it Friday. The data was found via rsync, a common file transfer protocol used to mirror or back up large data sets used by Level One Robotics and Controls Inc.

The data sets included data from more than 100 manufacturing companies, including General Motors Co., Fiat Chrysler Automobiles N.V., Ford Motor Co., Tesla Inc., Toyota Motor Corp., ThyssenKrupp AG and Volkswagen AG. The data varied among files and company but is said to have included data in three categories, including:

• Customer data: assembly line and factory schematics; non-disclosure agreements; robotic configurations, specifications, animations, and blueprints; ID badge and VPN access request forms; customer contact information
• Employee data: driver’s license and passport scans, ID photos (likely for badges); employee names and ID numbers
• Level One data: contracts, invoices, price negotiations and scopes of work, customer agreements

If the data being exposed wasn’t bad enough, the UpGuard researchers noted that the permissions set on the rsync server at the time of the discovery indicated that the server was publicly writable, “meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions or embedding malware.”

UpGuard informed the Level One Robotics of the data breach on July 9 and the company quickly removed the data from online access, but it isn’t known whether nefarious actors had accessed the data prior to that point.

Fred Kneip, chief executive officer at CyberGRX Inc., told SiliconANGLE that as organizations’ digital ecosystems have expanded to include hundreds or even thousands of vendors, contractors, customers and suppliers, it’s more apparent than ever that third-party cyberrisk needs to be continuously managed.

“If you don’t understand which third parties with access to your network present the greatest risk to your data, your digital ecosystem becomes a ticking time bomb just waiting to be exploited,” Kneip explained. “That’s exactly what happened to Toyota, Tesla and Volkswagen. It’s just one vulnerability in one of thousands of suppliers, but the impact could be enormous.”

Photo: Publicdomainpictures