Car companies wondering how Toyota builds a Corolla might have just missed a golden opportunity, as some of the automotive industry’s best-kept secrets were out in the open for an undetermined amount of time. Security researcher Chris Vickery discovered an immense data breach that affected numerous carmakers including Tesla, Toyota, Ford, and Volkswagen.
Vickery told the New York Times he found nearly 47,000 sensitive documents posted on the internet like a mac-and-cheese recipe on a cooking blog. The 157-gigabyte batch included corporate documents such as detailed blueprints and factory schematics, client material like invoices, contracts, and work plans, plus nondisclosure agreements (NDA). Automakers normally go to great lengths to keep this type of data confidential and out of the public eye because outing trade secrets risks giving competitors an unfair advantage.
“That was a big red flag. If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available,” Vickery explained.
The roughly 100 companies affected by the leak all had one common point: They were in contact with a Canadian firm named Level One Robotics and Controls that specializes in designing automation processes for automakers and industry suppliers. Vickery found the data on one of Level One’s backup servers. There was no hacking required; the server wasn’t password-protected so anyone who found its location could access the documents stored on it. Level One boss Milan Gasko told the New York Times it’s “extremely unlikely” someone other than Vickery found the server and viewed the data but he declined to comment on whether the company can detect an unauthorized person accessing its files.
Vickery added the leaked documents also included personal information about a handful of Level One employees, including driver’s licenses and passports that the company scanned. Customer data wasn’t part of the breach, so motorists who bought a Toyota, a Tesla, or a Volkswagen have nothing to worry about. Officials from the car companies affected by the breach refused to comment on the matter.
Level One took down the information as soon as it heard about the breach from Vickery. “Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent, and ramifications of this alleged data exposure,” Masko added.