BMW confirms data leak through unprotected cloud storage
Learn More
BMW has confirmed a cybersecurity lapse when a misconfigured cloud storage server, hosted on Microsoft Azure, inadvertently exposed sensitive company information.
The "open bucket" storage was configured within BMW's development environment and mistakenly set to public access due to a misconfiguration. The exposed data encompassed:
- script files detailing access to the Azure container,
- secret keys for entering the private addresses of the bucket,
- information pertaining to other cloud services
- private keys associated with BMW's cloud services across China, Europe, and the United States
- login credentials for BMW's production and development databases.
The extent of the exposed data and the duration of the server's public accessibility remain unclear. Despite the absence of evidence indicating malicious exploitation, the potential for the data to have been accessed by attackers cannot be dismissed. The company managed to close the public bucket at the start of 2024 and are now monitoring the systems for compromise.
BMW spokesperson confirmed the incident to TechCrunch, stating that the breach impacted a Microsoft Azure bucket. BMW assured that no customer or personal data were compromised.
