Leak of 75k employee records was insiders’ fault, claims Tesla

Insiders are to blame for a May data breach at Tesla, the company claimed in filings after news of the incident was reported months ago by German media.

The incident, Tesla disclosed in a data breach notification with the state of Maine and accompanying letter [PDF] to those affected, was the fault of two Tesla employees whom it alleged stole the info before sharing it with German business news outlet Handelsblatt.

Tesla said it has identified and filed lawsuits against the two now-former employees it accused of this, which has resulted in the seizure of the ex-staffers’ electronic devices. Tesla’s breach notification said that data belonging to 75,735 current and former employees was part of the stolen dataset, which reportedly contained names, contact information, social security numbers, and more. 

“We have not identified evidence of misuse of the data in a manner that may cause harm” to those affected, Tesla said. Regardless, Elon Musk’s car company is offering free credit monitoring, as is the norm after such incidents. 

The Handelsblatt story [paywalled] from May paints a more detailed picture of the data included in the breach, which the publication said goes well beyond data belonging to Tesla employees. 

The 100GB of data it received from the leakers, which Handelsblatt has dubbed the “Tesla files,” includes an “abundance” of customer data, and PII for more than 100,000 Tesla employees – including Elon Musk. The German outlet claimed private email addresses, salary info and bank details were also part of the breach.

But wait: There’s more!

Tesla said Handelsblatt notified it of the breach in May and “stated it does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately.”

It wasn’t prevented, however, from discussing other elements of the leaked data, like internal Tesla information including thousands of alleged customer complaints, some 4,000 of which reportedly focused on sudden acceleration and phantom breaking.

Handelsblatt described the leak as a failure by the corporation to protect its sensitive data from employees. According to a Tesla lawyer quoted in the original story, one of the leakers – as alleged by Tesla – is said to be a disgruntled former service technician whom it claims abused their access to exfiltrate the data. 

Per Reuters, German authorities said in May they were investigating the potential that the leak puts Tesla in the crosshairs of a GDPR violation, which Handelsblatt alleged is the case. 

Speaking of privacy violations, Tesla employees were caught earlier this year sharing embarrassing camera recordings taken from customer vehicles, something that could open the company up to even more litigation. 

“By default, images and video from the camera do not leave the vehicle itself and are not transmitted to anyone, including Tesla, unless you enable data sharing,” Tesla’s Model 3 owner’s manual reads in contrast to the alleged reality of the situation as described by several former employees. 

In the Handelsblatt case, the leak of so much insider data to a news outlet by Tesla employees raises obvious questions of whether Tesla learned anything from the last incident and whether it has proper data access rules in place. It’s also sure to raise the hackles of privacy regulators even more than they already are. 

Tesla didn’t respond to questions from The Register. ®

READ MORE HERE