Photo by Artiom Vallat on Unsplash
BMW Security Flaw Exposed Sensitive Company Information
February 15, 2024
A faulty cloud storage server owned by premium car giant BMW revealed sensitive company information, which includes internal data and private keys, according to TechCrunch.
Speaking to TechCrunch, Can Yoleri, a security researcher at threat intelligence company SOCRadar, said that he spotted the exposed BMW cloud storage server when he was doing a regular scan of the internet.
Yoleri revealed that the exposed Microsoft Azure-hosted storage server, also referred to as a “bucket,” in BMW’s development space was “accidentally configured to be public instead of private due to misconfiguration.”
He added that the storage bucket had within it “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.”
Screenshots were shared with TechCrunch that show the exposed data, which entails login details for BMW’s production and development databases and personal keys for BMW’s cloud services in the U.S., China, and Europe.
It’s unclear at the moment as to the amount of data that was exposed or how long the cloud bucket was out there on the internet. Yoleri said, “Unfortunately, this is the biggest unknown in public bucket problems. Only the bucket owner can see how long it has actually been open.”
According to BMW spokesperson Chris Overall, the data exposure affected a Microsoft Azure bucket within a storage development environment, with no impact on customer or personal data. He added that “the BMW Group was able to fix this issue at the beginning of 2024, and we continue to monitor the situation together with our partners.”
BMW refrained from commenting on the duration of exposure or whether malicious groups had detected the storage bucket. Yoleri said there was no evidence to support this, however, he noted that it “does not mean it doesn’t exist.” He explained, “Even if the bucket has been made private, it was necessary to change these access keys. It doesn’t matter if the bucket is private anymore.”
Recent News
Indeed Announces 1,000 Workers Will Be Laid Off
The job search engine is experiencing some layoffs of its own.
Walmart To Lay off Hundreds of Corporate Staff Members
Walmart is set to lay off hundreds of its corporate staff members. The retail giant will also ask their remote workers to return to the office on a hybrid schedule.
Diamond Industry Shakeup: Anglo Divorces De Beers
The diamond industry is facing a seismic shift as Anglo American Plc announces plans to part ways with its iconic De Beers business.
Home Depot’s First-Quarter Revenue Disappoints
Home Depot, a major player in the home improvement retail sector, recently released its fiscal first-quarter earnings, revealing a complex picture of consumer behavior influenced by economic factors. While the company’s earnings per share exceeded expectations, its revenue fell short, indicating a trend of deferred spending among customers.