Tesla data breach caused by ‘insider wrongdoing’
The data breach saw the sensitive data of more than 75,000 Tesla employees leaked
Add bookmarkA data breach that impacted car manufacturer Tesla in May of this year has been confirmed as the result of “insider wrongdoing”, according to a data breach notice filed by the company.
The data breach was discovered in May after German publication Handelsplatt broke the news of the cyber security incident, which saw 100GB worth of data stolen from Tesla and leaked. Handelsplatt said in their coverage of the breach that a Tesla lawyer had said the breach had been caused by a “disgruntled former employee”. Said employee had apparently abused their position as a service technician to gain access to the data.
The data, which was on more than 23,000 files, contained sensitive data on both current and former Telsa employees. This included the phone numbers, private email addresses and salaries of employees, bank details of customers and confidential details from Tesla production. It also included some employee social security numbers, including that of Tesla CEO, Elon Musk.
Other data leaked included 2,400 customer complaints about their Tesla vehicles.
In a data breach notice shared with Tesla staff and filed with the Maine Attorney General on August 18, Tesla noted that the data breach had impacted 75,735 employees and had been caused by “insider wrongdoing”.
The notice said that an investigation into the data breach had "revealed that two former Tesla employees misappropriated the information in violation of Tesla's IT security and data protection policies" to gain access to the data. The former employees had then shared the data with Handelsplatt.
The notice explained that Handelsplatt "does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately."
Tesla went on to explain that, owing to a series of lawsuits regarding the data breach, devices though to contain the data had been seized. The car manufacturer has also obtained court orders that “prohibit the former employees from further use, access, or dissemination of the data”.