Tesla Says Massive Data Breach was an Inside Job
The huge data breach that affected more than 75,000 Tesla employees was an insider job perpetrated by two ex-employees who leaked the information to a German business newspaper, according to the company.
In a notice to the Maine attorney general’s office and a letter sent earlier this month to those affected by the leak, Steven Elentukh, Telsa’s data privacy officer, wrote that the unnamed former employees sent the data to Handelsblatt, the media outlet, which in turned notified Tesla on May 10.
In all, the breach included data from 75,735 employees, according to notice to Maine.
An investigation by law enforcement agencies and independent third-party forensic experts uncovered the role of the two former workers, Elentukh wrote, adding that Tesla has since sued both.
“These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information,” he wrote. “Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties.”
Among the confidential data leaked to Handelsblatt were employee-related records, according to Elentukh. The newspaper said it didn’t intend to publish the personal information – which included addresses, Social Security numbers (including that of CEO Elon Musk), and phone numbers – adding that it legally can’t use it inappropriately.
That said, Handelsblatt did write a story based on information from the leak, which involved 100GB of confidential data. The story talked about Tesla’s failure to protect personal data of employees and customers and almost 4,000 complaints by customers about the driver assistance system in Tesla cars, including problems with sudden acceleration and unintended braking due to inadvertent collision warnings.
In all, the media outlet received 23,000 internal files that ran from 2015 to 2022
In an earlier report, Reuters wrote about some Tesla employees using an internal messaging system to pass around videos and images recorded by customers’ car cameras.
In his letter to affected employees, Elentukh said there was no evidence that personal information was misused. However, Tesla is still offering those workers membership in Experian’s IdentityWorks, an identity theft service. Membership includes credit monitoring and identity detection and resolution services.
The data breach also likely caused regulatory headaches for the electric vehicle manufacturer. Companies that sustain a breach are obligated to notify government agencies within a certain timeframe after discovering the problem – regulations vary from state to state – as well as affected individuals.
In addition, Tesla’s breach also fell within the purview of the European Union’s General Data Protection Regulation (GDPR), which can fine companies that do not adequately protect personal data. There were reports in May that the Dutch Data Protection Authority was looking into the breach – Tesla’s European headquarters are in the Netherlands – though no determination has been made.
