Tesla has identified two former employees as responsible for a significant data breach, leaking the personally identifiable information (PII) of over 75,000 employees, according to a report by TechCrunch. The breach, labeled as "insider wrongdoing," involved sensitive employee data, including social security numbers. The data privacy officer of Tesla, Steven Elentukh, filed a report with the state of Maine's attorney general office outlining the breach.
The breach came to light when German media outlet Handelsblatt, recipient of 100GB of Tesla's confidential information, informed the company on May 10th that it had received sensitive data. An investigation conducted by Tesla revealed that the breach had been perpetrated by two former employees who violated the company's IT security and data protection policies. Tesla has taken legal action against the former employees and seized their electronic devices.
Tesla's response also included a template letter by Elentukh to inform affected employees in Maine about the incident. Handelsblatt assured that it will uphold the strict data protection laws of its country, safeguarding the data of the 75,735 current and former employees implicated. Notably, even Tesla CEO Elon Musk's social security number was found among the over 23,000 documents that Handelsblatt received.
In addition to the breach, Handelsblatt revealed customer complaints regarding Tesla's Full Self-Driving (FSD) technology. The advanced driver-assistant system, aimed at achieving autonomous city driving capabilities, encountered around 2,400 self-acceleration issues and over 1,500 braking problems reported by customers between 2015 and March 2022. Tesla demanded that Handelsblatt delete the data pertaining to these complaints.
This incident marks a continuation of data mishandling within Tesla. Earlier this year, it was reported that employees accessed and shared private videos recorded by customers' Teslas through the vehicles' Sentry Mode security systems.
Cybersecurity experts from around the industry weighed in on the incident and how organizations can reduce the risks of insider threats.
Almog Apirion, CEO and Co-Founder of Cyolo:
"This attack underscores the crucial impact of over-permissioned internal users within an organizations’ infrastructure. In this instance, the sheer amount of sensitive employee and customer information – including Elon Musk’s own SSN - publicly distributed poses a serious threat for potential ramifications. The news highlights the need for proper security protocols and overall cyber hygiene.
To reduce the risks of insider threats, modern strategies are essential. These encompass adopting advanced technologies like zero-trust access and high-risk identity management, which enable swift asset restriction, constant authentication and real-time access control. Embracing such security measures ensures organizations safeguard their internal infrastructure.
While malicious insiders can't be eliminated, internal access can be confined to essential personnel, and in the case of people leaving the company, they no longer have access to any assets."
Nikhil Girdhar, Senior Director of Data Security at Securiti.ai:
"The recent data breach at Tesla, which compromised the sensitive information of 75,000 employees due to insider misconduct, brings to the forefront a common dilemma many companies face: balancing employees' need for data access for business operations while minimizing security risks.
One best practice for managing insider risk is to limit sensitive data access to only employees and vendors who require it for their tasks. This is easier said than done; manual access governance often leads to "permissions leakage," where employees end up with broader data access than necessary. However, automating access controls based on employee roles and using anonymization techniques such as data masking or synthetic data generation can reduce the number of employees accessing sensitive information without hindering business projects.
Continuous monitoring of user activity, especially activity involving access to sensitive data, serves as the second pillar of a strong defense strategy against insider threats. Despite having stringent access controls in place, companies must remain vigilant for signs of suspicious activity, such as substantial data exports or the unauthorized use of external storage devices. AI-based anomaly detection techniques can be powerful, enabling teams to flag and block suspicious activity in real-time and defend against insider risks." Dror Liwer, co-founder of cybersecurity company Coro:
“Malicious insiders are the most difficult to protect against, as trust is an inherent expectation of co-workers. While this is a case of malicious intent, co-workers can also expose data unintentionally. This is why organizations must have clear, enforced guidelines on who should have access to what, and a clear data retention policy. In both cases, less is more. Less people with access to sensitive information, and retention of sensitive data for the least amount of time absolutely necessary.” ###