A security researcher at threat intelligence company SOCRadar, Can Yoleri, uncovered a misconfigured cloud storage server belonging to automotive giant BMW that led to the exposure of sensitive company information. The exposed data included private keys, internal data, and other confidential details. The misconfiguration of the Microsoft Azure–hosted storage server, which was meant to be private, allowed unauthorized access to the data. The incident raises concerns about the security measures in place to protect sensitive information.
Key Takeaway
The misconfigured cloud storage server belonging to BMW led to the exposure of sensitive company information, including private keys and internal data. While BMW confirmed that the issue was addressed, questions remain about the potential impact of the data exposure and the adequacy of the company’s response to mitigate the risks.
Security Lapse and Data Exposure
Can Yoleri, a security researcher at SOCRadar, discovered the exposed BMW cloud storage server during a routine internet scan. The misconfigured storage bucket contained script files with access information for Azure containers, secret keys for private bucket addresses, and details about other cloud services. The exposed data also included private keys for BMW’s cloud services in China, Europe, and the United States, as well as login credentials for BMW’s production and development databases. The extent of the data exposure and the duration for which the cloud bucket was accessible remain unclear, posing a significant challenge in assessing the potential impact of the security lapse.
Response from BMW
BMW spokesperson Chris Overall confirmed that the data exposure affected a Microsoft Azure bucket in a storage development environment. However, the company assured that no customer or personal data was compromised as a result. BMW stated that the issue was addressed at the beginning of 2024, and the company continues to monitor the situation in collaboration with its partners. Despite making the bucket private after being notified of the issue, BMW has not revoked or changed the passwords and credentials found within the exposed cloud bucket, raising concerns about the ongoing security measures to mitigate the risks associated with the data exposure.