While this blog post provides a description of a data exposure discovery involving Power Quality Engineering, this is no longer an active data breach. As soon as the UpGuard Cyber Risk Team notified PQE of this publicly exposed information, immediate action was taken, securing the repository and preventing further access.

The UpGuard Cyber Risk Team has discovered a new data exposure within the systems of Texas-based electrical engineering operator Power Quality Engineering (PQE) , revealing the information of such clients as Dell, the City of Austin, Oracle, and Texas Instruments, among others. Left accessible to the wider internet via a port configured for public access and used for rsync server synchronization, the breach allowed any interested browser to download sensitive electrical infrastructure data compiled in reports by PQE inspectors examining customer facilities.

With a poor CSTAR external cyber risk score of 181 out of a possible 950 at the time the exposure was discovered, PQE presents a number of potentially damaging attack vectors with this exposure. Beyond this highlighting of potential weak points and trouble spots in customer electrical systems, publicly downloadable schematics reveal the specific locations and configurations of government-operated top secret intelligence transmission zones within at least one Dell facility. In addition to this exposed customer data, a plain text file of internal PQE passwords was also stored in the repository, potentially enabling further access to more company systems.

This exposure illustrates several pertinent and common issues driving the spread of cyber risk today. The configuration of PQE’s rsync process to allow public access through an open port is an all too common state of affairs in IT environments. While IT personnel can restrict port access to only authorized PQE employees, such measures can easily be forgotten without processes in place to ensure security gaps are identified and closed immediately.

With growing public awareness of the increasing plausibility of cyber assaults on critical infrastructure, exposed electrical data could be of growing utility to malicious actors seeking to attack corporations and public services. The exposure of sensitive, specific data about top secret data handling facilities within an enterprise IT environment further shows the risks of third-party vendors entrusted with highly prized information. Gartner estimates that three quarters of the world’s top 500 companies will, by 2020, consider such vendor risk to be a board-level concern, for reasons which continue to become apparent.

The Discovery

On July 6th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an open port configured to accept packets at an IP address which, when entered into a command-line interface, returned a fully downloadable data repository originating from Power Quality Engineering. Containing such folders as “Clients,” “User,” and “Intuit,” the full size of the repository is unknown. In an indication of the exposure’s potential scope, however, Vickery had downloaded a 205 GB portion of data from the repository at the time PQE secured its systems on the evening of July 8th, shortly after being notified by UpGuard.

The exposed port granting public access to these systems, 873, is the default port used for rsync (remote synchronization), a command line utility that allows for the easy and rapid copying of data to another machine. While the IP addresses able to access these systems via this port can be easily restricted by IT administrators using rsync’s “hosts allow/deny” functions, this requires an extra step once the rsync utility is configured. This default accessibility, while simple to restrict, can be missed.