Automotive industry faces severe data breaches and ransomware threats, CybelAngel investigation reveals
September 2021 by CybelAngel
An investigation by CybelAngel amongst leading automotive companies, discovered that trade secrets, personally identifiable information (PII) and other highly sensitive information had been leaked. Some of the leaked information included blueprints of engines and even production facilities.
Security weaknesses across the automotive supply chain were also discovered. Researchers found confidential agreements, blueprints, along with letters from human resources relating to issues such as employee contract termination.
CybelAngel conducted a wide-ranging examination of leading automotive companies throughout the first six months of 2021 to understand their cyber exposure risk and vulnerabilities, analyzing assets that are publicly available without the need for authentication.
Data was found across file servers, email exchange servers, databases, pastebins, and IoT devices.
The findings include:
• Out of a sample group of 2.2 million employees, roughly one in 10 employees have exposed publicly accessible credentials available online.
• Companies from the United States and Western Europe suffered the most exposed credentials. These credentials represent a major risk, as stolen, exposed, or reused credentials are exploited in 30% of ransomware attacks.
• Researchers found 26,322 exposed assets with open ports or protocols that needed to be closed immediately or monitored closely.
• The most significant leak was from an industrial design firm responsible for a leading US car firm’s new factory. The leaker appears to be a China-based design services supplier, commissioned especially for this project. These documents, dated to 2020, include around 200 pages of blueprints detailing the facility infrastructure and security system specifications.
• One manufacturer in the analysis exposed several million files in an AWS S3 bucket. The information included commercial details, email exchanges, contracts, invoices, and technical data. Another company exposed documents on their supplying of steel and other inputs to their competitors in violation of a Non-Disclosure Agreement (NDA), exposing them to legal risk.
Erwan Keraudy, CybelAngel CEO, said: “The risks of exposed data cannot be overstated. As well as ransomware attacks, leaks, exposed assets and credentials put companies at risk of intellectual property theft, data theft, corporate espionage, and fraud. The exposure of employee PII also means companies could end up being hit with multi-million dollar fines for breaking regulations like the GDPR.
“If the information relates to confidential information such as details of a company sale, the organisation that leaked the data could face legal action for breaking non-disclosure agreements or data privacy regulations as well as causing the failure of the entire acquisition deal.
“The automotive sector is attractive to hackers because it has long, complex, and interconnected supply chains with varying cybersecurity levels and therefore weak points. This report should be a wake-up call for the car industry, because the road ahead will be extremely bumpy unless action is taken to lock down data and safeguard credentials.”