Carmaker's vulnerabilities aren't just with embedded systems

 

Few companies have full vertical integration of their supply chain, meaning most companies require inputs from outside of the company for their products or services. For vehicle OEMs, they require modules or parts from other manufacturers. The supply chain for this may be rather extensive, depending on the unit or vehicle. This includes the hardware and software.

With all these other companies involved in the vehicle business there is bound to be the occasional issue. With all the third parties involved, there will be a problem or several problems somewhere along the supply chain. This has happened before and will certainly happen again. In particular, VW and its subsidiary had the pleasure of addressing this recently.

Customer records, depending on the data, have varying levels of value to the company and third parties with malicious intent. VW had over 3.3M customer records exposed. This incident is not directly their fault. A vendor happened to leave a cache of customer data open on the internet. We all know what happens when you leave data open and available on the internet. This was not left available for a week or two for anyone to peruse through. The data was left open from August 2019 to May 2021, or nearly two years. To make it worse, the customer data was not for a quarter or year, but for five years (2014-2019). That is a large amount of data there to be viewed. This is very usable in many applications. This is not only a cybersecurity issue, but also data science. This would be valuable to VW’s competitors for a variety of uses.

The data itself was collected for VW’s marketing and sales department. This included the customer’s personal information (name, mailing address, email address, and phone number). Also over 90K customers in the US and Canada had loan eligibility information exposed. This also included driver’s license numbers. Of this sample, a small number also had the customer’s date of birth and social security numbers available.

VW informed law enforcement and regulators regarding the issue. They are also working with cybersecurity subject matter experts (SMEs). There is the situation being handled, however the issue is a bit deeper. The supply chain is a requirement in our society. There are few businesses which have full vertical integration. There will be external vendors involved with your product. While the vendors are present and provide their service, the company still should complete their due diligence not only at the beginning of the business relationship, but periodically through the time when there are transactions. By simply checking the box that the work had been examined in years past is not sufficient. Cybersecurity is a constantly changing industry requiring updated monitoring and adjustment.