Skip to main content

Auto makers like Tesla, Toyota and Volkswagen go to great lengths to keep their technical information confidential. Details about assembly line machinery and proprietary robotics are among the industry’s most closely guarded trade secrets.

But this month, a security researcher came across tens of thousands of sensitive corporate documents — including many from nearly all of the largest auto manufacturers — on the open internet, unprotected. The trove included material from more than 100 companies that had interacted with a small Canadian company, Level One Robotics and Controls.

Among the documents were detailed blueprints and factory schematics; client materials such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information.

“That was a big red flag,” said Chris Vickery, the researcher who found the data. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”

It was unclear whether anyone else had seen or downloaded the unguarded data, which included some personal information — such as scanned driver’s licenses and passports — on Level One employees but otherwise appeared to be confined to corporate secrets. Vickery alerted the company last week, and the exposed information was taken offline within a day.

But the inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors.

Fifty-six percent of the businesses polled last year by Ponemon Institute, a security research firm, said they had at some point experienced a data breach linked to a vendor. The exposure only grows as more third-party companies gain access: The survey’s respondents said an average 470 outside companies had access to their sensitive corporate information, up from around 380 a year earlier.

The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.

Milan Gasko, Level One’s chief executive, said it was “extremely unlikely” that the data had been viewed by any outside parties other than Vickery.

Level One provides engineering services, with a focus on robotics and automation, to manufacturing companies, according to its website.