Skip to main content

Big auto makers’ trade secrets exposed in data leak traced to small Canadian company

Auto makers like Tesla, Toyota and Volkswagen go to great lengths to keep their technical information confidential. Details about assembly line machinery and proprietary robotics are among the industry’s most closely guarded trade secrets.

But this month, a security researcher came across tens of thousands of sensitive corporate documents — including many from nearly all of the largest auto manufacturers — on the open internet, unprotected. The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls.

Among the documents were detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information.

Story continues below advertisement

“That was a big red flag,” said Chris Vickery, the researcher who found the data. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”

It was unclear whether anyone else had seen or downloaded the unguarded data, which included some personal information — such as scanned driver’s licenses and passports — on Level One employees but otherwise appeared to be confined to corporate secrets. Vickery alerted the company last week, and the exposed information was taken offline within a day.

But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.

Fifty-six percent of the businesses polled last year by Ponemon Institute, a security research firm, said they had at some point experienced a data breach linked to a vendor. The exposure only grows as more third-party companies gain access: The survey’s respondents said an average 470 outside companies had access to their sensitive corporate information, up from around 380 a year earlier.

The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.

Milan Gasko, Level One’s chief executive, said it was “extremely unlikely” that the data had been viewed by any outside parties other than Vickery.

Level One provides engineering services, with a focus on robotics and automation, to manufacturing companies, according to its website.

Story continues below advertisement


Report an error
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter