IT Home reported on February 18 that according to foreign media TechCrunch, the cloud storage server of the automobile giant BMW had a misconfiguration event, resulting in the exposure of sensitive information such as private keys and internal data.
Researcher Can Yoleri said that during a routine scan, it found that the Microsoft Azure Managed Storage Server (also known as the "bucket") in BMW's development environment was configured as public rather than private.
Yoleri added that the bucket contains "script files that include Azure container access information, keys to access private storage server addresses, and details of other cloud services."
According to information learned by TechCrunch, the exposed data includes BMW's cloud service private keys in China, Europe and the United States, as well as login credentials for BMW's production and development databases, although it is unclear exactly how much data was exposed.
A BMW spokesperson has confirmed that the data breach affected Microsoft Azure Buckets, which are based on storage development environments, and said that no customer or personal data was affected as a result. "The BMW Group has fixed this issue in early 2024 and we will continue to monitor the situation with our partners," the spokesperson added. ”
BMW would not say how long the cloud storage server exposure had lasted or whether the exposed data had been maliciously accessed. According to researcher Yoleri, BMW has yet to revoke or change the set of passwords and credentials found in the exposed cloud storage servers.
According to a previous report by IT House, another auto giant, Mercedes-Benz, has recently had a similar data security incident: the security lab RedHunt found the github private key from the **warehouse of a Mercedes-Benz employee, and this private key can access all ** on the internal GitHub server of Mercedes-Benz.