BMW security error left valuable private company data exposed online
Another day, another misconfigured database
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Automotive giant BMW kept acloud storageserver hosting sensitive data such as private keys and internal information unprotected on the internet, and available to anyone who knew exactly where to look.
Security researcher Can Yoleri approachedTechCrunchclaiming to have found aMicrosoftAzure bucket that was misconfigured, and thus set to be public instead of private.
Yoleri explained that the bucket held “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.” He also found private keys for BMW’s cloud services in China, Europe, and the US. The bucket also contained login credentials for BMW’s production and development databases.
No evidence of file tampering
The logical conclusion here is that if Yoleri could find it - so can malicious actors. Unfortunately, only BMW can say for how long the database remained unprotected, and if anyone accessed it beforehand.
The carmaker’s spokesperson told the publication that there was no evidence the incident affected customers, orpersonal data. The database was locked down at the beginning of 2024, the spokesperson confirmed. However, not finding evidence and something not happening at all are, obviously, two entirely different things. Whether or not someone steps forward with a database remains to be seen.
However, the worst part is that BMW did not change the secrets that were hosted in the database, Yoleri said. If someone accessed it in the past, it doesn’t matter that it’s now locked down - the credentials and other secrets in there are still valid, and valuable. We’re still waiting on confirmation that BMW has revoked the secrets.
Unprotected and misconfigured databases remain one of the most common causes of data leaks and spills today.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
