Tesla has disclosed that the data breach impacting over 75,000 employees was an inside job. The electric automaker said two employees copied and shared confidential data with the German newspaper Handelsblatt.
In May 2023, the media outlet reported that the automaker had suffered a massive data breach exposing personal information and customer complaints about Tesla’s self-driving features.
Tesla’s data breach exposed far greater problems
Handelsblatt said it received 100 GB of data with personal and financial information and customer complaints about Tesla’s Full Self-Driving (FSD) features. The data contained 23,000 internal documents and spanned from 2015 to 2022.
Handelsblatt claimed that whistleblowers had shared confidential information about Tesla cars’ autopilot problems and customer complaints.
The outlet had allegedly promised the inside job masterminds that it would not misuse the information and was legally bound by those terms.
After reviewing data for six months, Handelsblatt found that Tesla had far “greater technological problems than previously known.”
According to Business Insider, the documents had various complaints, including 2,400 self-acceleration reports, 1,500 braking issues, and 383 false collision warnings. Numerous lawsuits have been filed concerning the driving assistant feature.
Tesla’s sues malicious insiders who acted as “whistleblowers”
According to Tesla’s spokesperson, Handelsblatt informed the company it had received the confidential data with sensitive personal information on May 10, 2023.
Tesla responded by launching an investigation and discovered that two former employees violated security protocols when they copied and shared the data with the foreign press.
“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet,” Steven Elentukh, Tesla’s data privacy officer, wrote in a notice sent to impacted individuals.
Subsequently, Tesla filed lawsuits against the two alleged inside job masterminds, which allowed the confiscation of two electronic devices with the leaked information.
Additionally, the automaker obtained court orders to prevent the inside job alleged masterminds from further disseminating the information.
“Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties,” the company said.
Additionally, Tesla cooperated with law enforcement and forensics experts and promised to continue to take appropriate steps as necessary.
Tesla’s inside job leaked extensive personal data
According to a data breach notification filed with Maine’s Attorney General, the Tesla data breach leaked personal information such as names, addresses, phone numbers, Social Security Numbers, and work information. The data breach impacted 75,735 current and former employees.
According to Handelsblatt, the data breach also leaked Elon Musk’s Social Security Number and car, customers’ bank details, production secrets, and salary information of 100,000 employees.
Although Tesla has no evidence that the information was used in a way that could harm the victims, the carmaker is offering 12 months of identity theft protection with Experian’s IdentityWorks. Tesla has also requested Handelsblatt to delete the leaked information.
Handelsblatt has questioned Tesla’s data handling protocols, given that the inside job masterminds copied 100GB of data without restrictions.
“This breach makes it clear that Tesla did not have the right controls in place to prevent this type of breach,” said Lior Yaari, CEO and co-founder of Grip Security. “It is actually more common than people think to have former employees’ access to systems remain active after they have left the company.”
Adding that many companies do not maintain a complete inventory of their apps, Yaari noted that “Tesla needs to tighten up their data governance and system access controls, or this will happen again and again.”
According to Dror Liwer, co-founder of Coro, an inside job is the most difficult to prevent.
“Malicious insiders are the most difficult to protect against, as trust is an inherent expectation of co-workers. While this is a case of malicious intent, co-workers can also expose data unintentionally,” said Liwer.
He advised organizations to have “clear, enforced guidelines on who should have access to what, and a clear data retention policy. In both cases, less is more. Less people with access to sensitive information, and retention of sensitive data for the least amount of time absolutely necessary.”
Jeannie Warner, the Director of Product Marketing at Exabeam, suggested that the employees sought revenge against Tesla.
“Information about the two former Tesla employees’ intent for sharing confidential data with a German publication has not been disclosed,” Warner said. “However, the incident happened at a time of large-scale company layoffs. It’s likely that the two former employees were seeking some sort of revenge against Tesla.”
The breach follows another revelation that Tesla workers viewed shared invasive images recorded by customers’ cars.
Reuters reported that between 2019 and 2022, Tesla employees used internal messaging apps to share sensitive images recorded by customers’ car cameras.
Additionally, Tesla software could show locations of recordings, thus capable of disclosing the owner’s address.
There are speculations that the May 10 data breach will attract regulatory action. The Dutch Data Protection Authority was already looking into the matter.