BMW’s Cloud Server Slip-Up: Internal Data Exposed in Security Breach

German car manufacturer BMW’s sensitive internal information stored on a cloud storage server was found to be exposed on the internet. BMW has responded, stating that no personal information was leaked.

American IT specialist media TechCrunch reported on the 15th (local time) that BMW’s cloud storage server, built on Microsoft Azure, was exposed on the internet in a public state, not a private one. Can Yoleri, a researcher at cybersecurity firm SOCRadar, confirm this?

The storage servers in question are known internally at BMW as “buckets,” the exposed buckets contained secret keys to access private buckets, script files with details about other cloud services, and more. Specifically, it included personal keys to access BMW’s US, China, and Europe cloud servers and login credentials for BMW’s production and development database.

Yoleri commented, “Unfortunately, we can’t know exactly how much data was exposed and for how long.”

BMW also recognized the situation and took action. BMW stated, “The information of customers or company employees was not affected,” and made the exposed bucket private.

Researcher Can Yoleri warned that BMW’s response was insufficient. He added, “Even if the bucket was set to private, the access key should have been changed. Whether the bucket is set to private is not important anymore.”

Following Mercedes-Benz, the exposure of BMW’s cloud containing internal information raises questions about German car manufacturers’ security.

Last month, cybersecurity research lab RedHunt Labs reported that a Mercedes-Benz employee’s personal key was publicly available on GitHub. Using this personal key, one could be granted unlimited access to Mercedes-Benz’s GitHub Enterprise server, potentially exposing internal company information indiscriminately.

Mercedes-Benz responded by canceling the key and swiftly removing the exposed storage server upon receiving the report from RedHunt Labs.

Car manufacturers are storing more data as connected car and autonomous driving technologies are being developed in the automotive industry. However, there are concerns about credibility being shaken as global car manufacturers are repeatedly involved in critical exposure accidents.

An industry insider stated, “This security incident emphasizes the importance of cybersecurity measures for car manufacturers. As digitalization becomes the core of the automotive industry, it is necessary to strengthen security protocols to maintain trust and conduct regular audits.”