A large robotics vendor, an assembly line droid builder, has been the latest company to expose confidential data for major manufacturing companies. We are going to look at the facts and share our findings.
The recent revelation
It has been claimed that the Canadian robotics vendor Level One Robotics is the company involved in a big data leak for over 100 manufacturing companies.
Who exposed the data leak?
Upguard is a cyber resilience company. It provides products and services to help companies stand up securely configured systems and against outages and breaches. They are based in California, US.
What companies were supposedly affected by the data leak?
Level One Robotics has some major customers, including big automobile manufacturers like GM, Ford, Tesla, Volkswagen, Chrysler and more. The exposed data includes information on over a hundred different companies who interface with Level One.
You can read the full list of customers involved here.
On the 1st of July 2018, Upguard discovered the exposed rsync server and began analysis.
‘rsync’ is a utility for efficiently transferring and synchronizing files across computer systems, by checking the timestamp and size of files. Like a lot of tools similar to rsync, it can be used insecurely if the correct procedures aren’t used. rsync processes should be restricted by IP addresses so that only designated clients can connect. Without the correct procedures being taken, rsync is publically accessible.
On the 5th of July 2018, Upguard attempted to contact the owner of the data leak, Level One Robotics.
Level One Robotics responded on the 9th of July 2018 and the exposure was closed on the 10th of July 2018.
What was the exposed data?
- Customer data – assembly line and factory schematics; non-disclosure agreements; robotic configurations, specifications, animations, and blueprints; ID badge and VPN access request forms; customer contact information
- Employee data – driver’s license and passport scans, ID photos (likely for badges); employee names and ID numbers
- Level one data – contracts, invoices, price negotiations and scopes of work, customer agreements
- Personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details
What are those involved saying?
Upguard, the company that exposed the data leak:
The Upguard team claimed, “The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information. Not all types of information were discovered for all customers, but each customer contained some data of these kinds.”
Level One Robotics, the company who allegedly exposed the confidential data:
Level One CEO Milan Gasko told The New York Times, “Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent and ramifications of this alleged data exposure. In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
Ford, one of the companies affected by the data leak:
A Ford spokesperson said that the company’s exposure appears minimal, “We’ve found no information that would indicate Ford is impacted. This supplier does not handle confidential information for the joint venture to whom they are contracted and they have not alerted us to any issue.”
Other companies such as, General Motors, Toyota, Fiat Chrysler, Tesla, and Volkswagen have declined to comment or not responded to requests for comment.
What will happen next?
The investigations are ongoing and we will let you know the outcome.
We can only presume that if the correct procedures
With any business data, security is of the utmost importance. Leaks of your companies trade secrets will have a massive impact on your company.
Knowing where your data is and how it could be exposed, is a big part of what preparing for the General Data Protection Regulation helps you understand. It is about data governance and risk assessment.
This is why understanding where your weakest links are or your next data breach is vital. Whether it be one of your employees or one of your service providers.
Big data has big implications. But the scale of the problem matters not. You still need to understand your risks, know your data, who and what has access to it.
be.Infoready! Train, Prepare, Assess.