Tesla logo on car showing data leak can lead to GDPR fine

100 GB Data Leak Could Lead To Massive Fines for Tesla in Europe

A Tesla whistleblower has come forward with a 100 GB data leak, and the data protection agency of the Netherlands has said that it is aware of the incident and is investigating.

Among other things, the massive data leak (handed over to German business newspaper Handelsblatt) reportedly contains troves of customer safety complaints about the automated driving functions of Tesla vehicles. While that may well be harmful to Tesla’s business, the inclusion of customer payment information and staff personal information (including Elon Musk’s own Social Security number) could draw fines from European regulators that could range into the low billions.

Tesla employee information, customer files, safety complaints reportedly compromised in data leak

There is no official word yet on an investigation  into the data leak, but speculation is rampant based on the range of materials that were included. Based on the maximum allowed fine of 4% of global annual turnover, a penalty could cost Tesla up to $3.3 billion at most, though no existing General Data Protection Regulation (GDPR) fine has come even close to this percentage of company revenue thus far. Only one penalty has topped a billion euros, and that was handed to Meta just days ago after a years-long investigation and deliberation process.

Over 100,000 former and current Tesla employees are reportedly impacted by the data leak. The files contain salaries, phone numbers, and private email addresses, but there was no mention of other Social Security numbers being included beyond Musk’s. Tesla customers may be worse off in terms of sensitive information exposure, as bank details are reportedly included.

In terms of sensitive internal business information, the data leak reportedly contains numerous safety complaints filed by customers and confidential production information. The safety complaints are focused on the assisted and automated driving systems included with Tesla models, and seem to frequently involve cars doing unpredictable and unexpected things. There are about 4,000 complaints in total, many involving cases of either sudden acceleration or unexpected braking.

Tesla has not officially commented on the issue as of yet, but a company lawyer claimed the data leak was caused by a service technician described as a “disgruntled former employee” who had abused their privileged access. Tesla will be taking legal action against the individual.

Could Tesla face financial issues from leaked safety data?

The issues with the potential GDPR violations are clear, and it will be up to EU regulators (with the Netherlands acting as the initial point agency given Tesla’s EU headquarters being located in Amsterdam) to investigate and determine how that will proceed. What is less clear at this point is what impact the data leak’s safety reports might have on the company’s fortunes.

A deeper dive into the thousands of files reveals that the complaints span almost a complete seven years, from 2015 to 2022, and that most are from the US and over half involve unintended acceleration issues. Most of the rest of the complaints involve braking; the National Highway Traffic Safety Administration has an investigation into hundreds of “phantom braking” complaints that was opened in 2022, and renewed focus was brought to the issue in late 2022 when an eight-car pileup in California was found to be caused by a Tesla’s “Full Self-Driving” (FSD) assistance system shortly after a beta of the feature was made available to all vehicle owners. This ended with a recall of over 362,000 Teslas and a forced pause for FSD installations.

The takeover of Twitter and its ongoing policy changes have dominated news attached to owner Elon Musk, but Tesla has had its own recent string of privacy issues, mostly centered on the internal and external cameras that are standard on all vehicles that have some sort of assisted driving feature. These concerns have been appearing in the media since at least 2021, as owners wondered exactly what sort of video was used for Tesla’s internal development. An answer to that came last month, as Reuters reported on testimony from former employees that the cameras sometimes capture privacy-invasive images without the knowledge of the owners and that these pictures and videos were sometimes passed around the Tesla offices as entertainment from 2019 to 2022.

This is also not the first time Tesla has had a “disgruntled employee” perpetrate a data leak to settle a perceived score. In 2021, the company filed a lawsuit against former process technician Martin Tripp for allegedly exporting confidential manufacturing photos and videos, stealing financial information, and making unauthorized changes to source code. Tripp also set his exfiltration system up on the computers of several coworkers so it would appear as if they were conducting the scheme. Tesla’s driving data storage system, primarily used for crash investigations, was also hacked by a Dutch forensic research team that year.