News broke over the weekend that 157 gigabytes worth of sensitive documents for over a hundred manufacturing companies were exposed on a publicly accessible server belonging to Level One Robotics.
10 years of assembly line schematics, factory floor layouts, robotic configurations, employee driver’s licences and more were exposed via a publicly accessible server. The server was not restricted by IP or user, and the data set was downloadable to anybody, providing they had the right knowledge.
Luke Brown, VP EMEA at WinMagic:
“If I had a dollar for every preventable incident of data compromise, I’d be a very wealthy man. Companies have such a wide variety of infrastructure spanning everything from endpoints, data centres and cloud, meaning it is not easy to ensure that your deeply sensitive, and highly valuable, information doesn’t fall into the wrong hands. What is needed is an end-to-end data protection platform that works across all infrastructures. More importantly, it must encrypt the data, and ensure it stays encrypted until needed.
For organisations operating at the forefront of automotive innovation, protecting their intellectual property must the number one priority. Should it fall into the wrong hands, it could literally put the brakes on the company’s survival. It’s not clear from this incident who viewed the data before it got taken off-line. But with an encryption platform, it doesn’t matter if your data gets breached – and it will – because the sensitive information is locked up.”
Rich Campagna, CMO at Bitglass:
“It doesn’t take much for outsiders – malicious or not – to find unsecured data stores such as the one that belonged to Level One Robotics. Where data is publicly accessible because of misconfiguration, outsiders don’t need a password or the ability to crack complex encryption to get at sensitive information. Unfortunately, it seems Level One has no way to tell whether anyone got their hands on this data prior to UpGuard discovering it.
It is likely that this misconfiguration resulted from a well-meaning employee with excessive privilege and little security oversight. It could also be argued that this misconfiguration could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”
Naaman Hart, Managed Services Security Engineer at Digital Guardian:
“At the core of this incident is a fundamental misunderstanding of securing internet facing systems. There were no ‘Access Control Lists’ to limit who connected to RSYNC via IP and there were no Username/Password requirements either. Without these basic security measures finding the server was a free-for-all for anyone with an RSYNC client that could scan the internet for the open port.
This is a great example of the need for “data aware” security technologies. If Level One had data-centric security in place, it could have prevented its partners’ sensitive data from being altered, deleted, or in this case copied without prior permission. Companies must learn from incidents like this and apply the right methods of protection to their IT environment, with the ability to apply security at the data-level being the most critical.”