In a surprising twist to the usual narrative of cyberattacks, electric car titan Tesla has disclosed a data breach affecting approximately 75,000 people. The breach, however, did not result from a malicious cyberattack but was due to a whistleblower leak.
Earlier in May, Tesla discovered that personal information, including social security numbers of over 75,700 individuals, had been exposed. This compromised data includes names, contact details, and employment records of both current and former Tesla employees. The breach was brought to light when German media outlet Handelsblatt reported that it had received a staggering 100 Gb of confidential Tesla data from a whistleblower.
The breach can be traced back to two former Tesla employees who allegedly shared this confidential company data with Handelsblatt. Tesla has stated that these ex-employees “misappropriated the information in violation of Tesla’s IT security and data protection policies.” This incident underscores the challenges companies face in ensuring data security, even post-employment.
Termed as the ‘Tesla Files’, the leaked data reportedly encompasses details of more than 100,000 current and former Tesla employees. This includes sensitive customer banking details, production trade secrets, and complaints related to Tesla’s driver assistance systems.
Reacting swiftly to the breach, Tesla initiated legal action against the employees responsible. “Among other things, we identified and filed lawsuits against the two former employees,” Tesla said in a notification letter sent to the data breach victims. “These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information.”
The company also secured court orders prohibiting the ex-employees from further dissemination or use of the stolen data, with the threat of criminal penalties for non-compliance. To further protect the affected individuals, Tesla is offering credit monitoring and identity protection services.
While this breach was not the result of a traditional cyberattack, it has heightened concerns about data protection within companies. The incident serves as a stark reminder of the vulnerabilities posed by insider threats and the significance of data protection policies and stringent employee exit protocols.