Tesla has acknowledged in an official filing with the Maine attorney general that the recent data breach, which affected over 75,000 individuals, resulted from an “inside job.” The breach came to light after German media outlet Handelsbatt disclosed that it had obtained a substantial 100GB of data from an insider within Tesla.
On May 10, Handelsbatt notified Tesla about the data acquisition, revealing that the leaked data encompassed at least 23,000 internal files spanning 2015 to 2022. The disclosed data allegedly contained information suggesting that Tesla received around 3,900 reports concerning self-acceleration and brake-function issues in their vehicles. Among these files were crash reports and multiple instances of drivers expressing safety concerns regarding Tesla’s driver assistance system.
Following a thorough investigation into the breach, Tesla pinpointed two former employees as the data leak’s culprit. The company detailed that these ex-employees had “misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet.” Handelsbatt has stated that they have no intent to publish the compromised data, in part due to legal restrictions.
Tesla promptly took measures to address the breach’s impact on those affected. The company’s chief privacy officer reached out to the affected parties, providing them with comprehensive information about the breach, the specific data compromised, Tesla is actions to address the issue, and guidance for navigating the situation moving forward.
Reflecting on the incident, Lior Yaari, CEO and co-founder of Grip Security, remarked, “This breach highlights Tesla’s apparent lack of appropriate controls to thwart such breaches. It’s actually quite common for former employees to retain access to systems even after leaving a company. However, without further details, it’s hard to ascertain whether this issue stemmed from inadequate security measures or if it was driven by malicious intent from two disgruntled former employees.”
As part of the breach mitigation efforts, Tesla offers complimentary credit monitoring services through Experian’s IdentityWorks to all individuals whose data was compromised.
This incident underscores the ongoing challenge posed by insider threats in cybersecurity. As organizations grapple with safeguarding their data and protecting sensitive information, the Tesla case underscores the pivotal significance of robust data protection policies, stringent employee access controls, and continuous monitoring to safeguard against internal and external risks. Centraleyes Risk and Compliance Platform offers comprehensive strategies for mitigating insider risks within zero-trust frameworks.