Incident & Breach Response , Security Operations

Tesla Sues 2 Former Employees Over Insider Data Breach

Whistleblower Leaks Included Information on 75,735 Current and Former Employees
Tesla Sues 2 Former Employees Over Insider Data Breach
Image: Tesla

Tesla says it is suing two former employees for perpetrating a May data breach that exposed personal information for 75,735 current and former employees.

See Also: 13 Essential Criteria to Consider For Cyber Resilience in IR & SoC Teams

The Austin, Texas-based electric car manufacturer began notifying affected individuals Friday, as part of its ongoing probe into a May data breach it blamed on "insider wrongdoing."

The company said it had learned of the breach on May 10, when German business newspaper Handelsblatt informed Tesla that it had received 100 gigabytes of leaked data from a whistleblower that included employee information, including Social Security numbers.

Tesla said Handelsblatt had told the carmaker it would not - and legally could not - publish the employee information. On May 25, the paper published a report based on the leaked information, which included internal communications revealing over 3,000 customer complaints concerning Autopilot that the company appeared to have tried to minimize.

The Handelsblatt report also said Tesla was failing to adequately protect access to customer and employee data, The Guardian reported. Handelsblatt quoted a Tesla attorney blaming the 100 gigabyte data leak on a "disgruntled former employee" who worked as a service technician, according to The Guardian.

The carmaker's subsequent probe of the breach "revealed that two former Tesla employees misappropriated the information in violation of Tesla's IT security and data protection policies and shared it with the media outlet," according to the data breach notification sent to affected individuals from Tesla Data Privacy Officer Steven Elentukh.

Exposed information included each individual's name and contact information, including email addresses and phone numbers as well as Social Security numbers.

After the breach came to light, "Tesla immediately took steps to contain the incident, understand the scope, and protect your information," in part by identifying the two employees and filing lawsuits against them, the notification says.

"These lawsuits resulted in the seizure of the former employees' electronic devices that were believed to have contained the Tesla information," the notification reads. "Tesla also obtained court orders that prohibit the former employees from further use, access or dissemination of the data, subject to criminal penalties."

Tesla said it is also working with law enforcement agencies. Whether or not the former employees might face criminal charges remains unclear.

Tesla Faces Multiple US Probes

The leaks occurred as Tesla is facing numerous government investigations, and many of them focus on the driver-assistance features the company builds into its vehicles as well as how it has marketed that functionality to drivers.

In October 2022, the U.S. Department of Justice announced the launch of a criminal investigation into the automaker triggered by 16 Tesla cars being involved in crashes - some fatal - with stationary emergency vehicles. All of the crashes apparently occurred when driver-assistance features had been enabled at least 30 seconds or more before the crash, Reuters reported.

In a February filing with the Securities and Exchange Commission, Tesla said it had received a request from Justice pertaining to information about its Autopilot as well as full self-driving features. The latter is a beta option available as a $15,000 add-on.

"To our knowledge no government agency in any ongoing investigation has concluded that any wrongdoing occurred," Tesla said in its filing.

America's National Highway Traffic Safety Administration has also been probing Tesla. One of its multiple investigations was launched in 2021 and centers on the Autopilot driver-assistance feature present in 830,000 Tesla vehicles. In June 2022, the NHTSA expanded its probe into an engineering analysis, which could lead the regulator to require that vehicles be recalled.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.