Friendly hackers save Ford from potential leak of employee, customer data
Phoebe Wall HowardFord Motor Co. has kept both customer and employee records safe from leaking after cybersecurity researchers alerted the automaker that its internal system filled with sensitive proprietary information was not secure against hostile forces, the Free Press confirmed Tuesday.
"Based on evidence provided to Ford and our internal investigation, we don’t believe any sensitive personal information about employees or customers was accessed or compromised in this instance, which was identified and addressed nearly six months ago," Ford spokesman T.R. Reid said. "The safety and trust of customers and employees is a top priority for our Ford cybersecurity team and processes."
Cybersecurity experts, widely considered friendly hackers globally, identified the issues of concern in the first quarter of 2021.
'Once the situation is safe'
But the company had never officially stated whether or not the system had a data breach, said Ax Sharma, a London-based cybersecurity expert who has been writing about the incident. "They've waited a whole six months to disclose this. Having data breach or not, that's not the point. You usually make the findings public on HackerOne, a platform that lets researchers report things to companies, once the situation is safe."
HackerOne calls itself a bug bounty computer platform that connects businesses with cybersecurity researchers. Researchers correspond with HackerOne and they bring closure to the situation so that others may learn, Sharma explained.
"There never has been an official disclosure by Ford. They went silent," Sharma told the Free Press during a phone interview from London, England.
Urgent alert
The Dataminr news alert system on Sunday night said the Ford website had allowed online security "researchers" access to confidential company records, databases, and confidential customer information.
The blog databreaches.net, which describes itself as a news aggregation, investigation and commentary site created in 2009, warned the Ford system was so vulnerable that it also allowed for "account takeovers."
"A bug on Ford Motor Company's website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets," according to bleepingcomputer.com, an information and technology news website based in Melville, New York.
The site, established in 2004, says it focuses on cybersecurity with a mission to provide alerts to potential threats. Government agencies including the U.S. Treasury Department and the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security have included bleepingcomputer.com cybersecurity analysis in advisories as recently as 2020.
In the case of Ford, the bleepingcomputer.com website said in an article posted and dated Sunday, that "data exposure stemmed from a misconfigured ... customer engagement system running on Ford's servers."
High-profile hackers
The researchers stated that some of the exposed assets contained sensitive personal identifiable information and included:
- Customer and employee records
- Finance account numbers
- Internal support tickets
- User profiles within the organization
That "vulnerability" was discovered by security engineer Robert Willis and a colleague known as break3r, with further validation and support provided by members of Sakura Samurai ethical hacking group — Aubrey Cottle, Jackson Henry and John Jackson, the site said.
"The impact was large in scale. Attackers could ... obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data," Willis wrote in a blog posting titled "Ford Breach, August 2021 Disclosure" that includes images of internal information accessed.
"Researchers shared many screenshots of Ford's internal systems and databases with BleepingComputer. For example, the company's ticketing system," which was revealed in an image with the story.
The team of hackers involved in this project include key names in cybersecurity.
Cottle is known as the founder of Anonymous, an activist collective that targeted organizations including the Westboro Baptist Church after its members planned to picket Sandy Hook funerals, MarketWatch wrote in November.
Willis, a security engineer and hacker, tweeted to his 12,200 followers on Twitter on Sunday, "Ford bug exposed customer and employee records from internal systems."
While the issue was also reported to Ford, hackers said communication with Ford was limited and "at one point in time, they completely stopped answering our questions," Jackson told BleepingComputer. "It took HackerOne mediation to get an initial response on our vulnerability submission from Ford."
When the vulnerability was marked as resolved, Jackson told BleepingComputer, Ford ignored the disclosure request.
"We had to wait the full six months to force disclose per HackerOne's policy out of fear of the law and negative repercussions," Jackson said.
"At this time, Ford's vulnerability disclosure program does not offer monetary incentives or bug bounties, so a coordinated disclosure in light of public interest was the only 'reward' researchers were hoping for," bleepingcomputer.com wrote Sunday.
"The findings you submitted ... are considered private. These vulnerability reports are intended to prevent compromises which may require disclosure," Ford said at the time, according to BleepingComputer.
"Although the endpoints were taken offline by Ford within 24 hours of the report, the researchers comment in the same report that the endpoints remained accessible even afterward, and requested another review and remediation," the article said.
More:Ford could face $1B federal penalty over Transit Connect vans
More:Lawsuit: Newly unsealed emails suggest Ford targeted high-performing older workers
Contact Phoebe Wall Howard at313-618-1034orphoward@freepress.com.Follow her on Twitter@phoebesaid.