Automakers like Tesla, Toyota and Volkswagen go to great lengths to keep their technical information confidential. Details about assembly line machinery and proprietary robotics are among the industry’s most closely guarded trade secrets.
But this month, a security researcher came across tens of thousands of sensitive corporate documents — including many from nearly all of the largest auto manufacturers — on the open internet, unprotected. The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls.
Among the documents were detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information.
“That was a big red flag,” said Chris Vickery, the researcher who found the data. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
It was unclear whether anyone else had seen or downloaded the unguarded data, which included some personal information, such as scanned driver’s licenses and passports, on Level One employees but otherwise appeared to be confined to corporate secrets. Mr. Vickery alerted the company last week, and the exposed information was taken offline within a day.
But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.
Many of the worst recent data breaches began with a vendor’s mistake. In 2013, thieves infiltrated Target’s payment terminals and stole credit and debit card information from 40 million customers. The attackers got in by hacking one of Target’s heating and ventilation contractors, then using information stolen from that business to gain access to Target’s systems.
Just last month, Ticketmaster revealed that payment information from thousands of customers had recently been stolen in a breach it attributed to flawed software from Inbenta, a company running customer support chatbots on TicketMaster’s website.
Fifty-six percent of the businesses polled last year by Ponemon Institute, a security research firm, said they had at some point experienced a data breach linked to a vendor. The exposure only grows as more third-party companies gain access: The survey’s respondents said an average of 470 outside companies had access to their sensitive corporate information, up from around 380 a year earlier.
“It’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk,” said Larry Ponemon, the research firm’s founder.
The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.
Generally, automakers’ top security priority is vehicle risks, she said, such as vulnerabilities that could be used to attack a car’s critical components. Leaked corporate documents aren’t quite as fraught — “I doubt anyone is going to die over it,” Ms. Francy said — but the exposure of such information is still worrying.
“No one wants their data outside of their own company,” she said. “Anything that showcases how they manufacture is proprietary and competitive.”
Mr. Vickery, the director of cyber risk research at UpGuard, a security services company in Mountain View, Calif., has made a career out of hunting unguarded data caches.
He’s a rarity in the industry: a security sleuth who doesn’t hack. Instead, he searches communication ports and the internet’s hive of connected devices to find information inadvertently made public. His discoveries have included medical records, airport security files, hotel bookings, a terrorist screening database and 87 million Mexican voter registration records. Once the sensitive information has been secured, he publicly discloses that the data had been revealed.
Mr. Vickery found Level One’s data through an exposed backup server. It required no password or special access permissions, he said. Anyone who connected could download the material, which totaled at least 157 gigabytes and contained nearly 47,000 files filled with factory records and diagrams from companies including Fiat Chrysler, Ford, General Motors, Tesla, Toyota and Volkswagen.
Milan Gasko, Level One’s chief executive, declined to discuss the details of the exposed information.
“Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent and ramifications of this alleged data exposure,” he said. “In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
Mr. Gasko said it was “extremely unlikely” that the data had been viewed by any outside parties other than Mr. Vickery, but he did not address questions about whether Level One has tools in place to detect unauthorized access.
Level One was founded in 2000 in Windsor, Ontario, and opened an American office six years later outside Detroit. The company provides engineering services, with a focus on robotics and automation, to manufacturing companies, according to its website.
Officials from General Motors, Toyota and Volkswagen declined to comment on the data exposure. Fiat Chrysler, Ford and Tesla did not respond to requests for comment.
Researchers like Mr. Vickery often face skepticism, and criticism, from the companies that they notify about exposed data — no business likes to get a phone call telling it that it has revealed sensitive information. But publicizing data breaches is an effective way to get other companies to combat them, he said.
“Nothing gets better in silence, as far as cybersecurity goes,” Mr. Vickery said. “Human nature is to try to sweep things under the rug. That hurts our society. We need better data security, and nothing improves unless people realize there’s a problem.”