Tesla data breach caused by “insider wrongdoing”

A data breach at Tesla, which affected 75,735 people and saw sensitive company data compromised, was caused by two former employees, the electric car maker said.

In a data breach notice filed with Maine’s attorney general, Tesla’s data privacy officer, Steven Elentukh, said its investigation into the incident “revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies” and shared it with Handelsblatt, a German media company.

Handelsblatt reported in May that insiders had leaked 100 gigabytes of data from Tesla’s IT system.

According to TechCrunch, the compromised Tesla data obtained by Handelsblatt included “personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees” – including Elon Musk’s own Social Security number – as well as “customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features.”

Tesla says it “immediately took steps to contain the incident” and “filed lawsuits against the two former employees” which “resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information.”

It also notes that Handelsblatt “has stated that it does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately.”

Not the first Tesla incident

This isn’t the first time Tesla employees have misused customer data. In April, Reuters reported that staff had used an internal messaging system to share “sometimes highly invasive videos and images recorded by customers’ car cameras” between 2019 and 2022.

These recordings included crashes, road-rage incidents, images of naked car owners, and “more mundane” images, including “pictures of dogs and funny road signs.”

Tesla’s customer privacy notice states that “camera recordings remain anonymous and are not linked to you or your vehicle.” However, according to Reuters, Tesla employees said “the computer program they used at work could show the location of recordings – which potentially could reveal where a Tesla owner lived.”

“We could see inside people’s garages and their private properties,” another former employee told Reuters. “Let’s say that a Tesla customer had something in their garage that was distinctive, you know, people would post those kinds of things.”

While these incidents obviously raise questions about the automotive giant’s data security practices, the implication for other organizations that process personal data is clear enough: it’s critical to implement staff training programs that emphasize the importance of data privacy, and processes that ensure personally identifiable information is handled appropriately, and in line with the many data protection laws that might apply.

Free webinar: Privacy Integration – Empowering your ISO 27001 ISMS with ISO 27701 and EuroPrivacy Certification

If you want to know more about data privacy, you will be interested in our 45-minute webinar, delivered by our Founder and Executive Chairman, Alan Calder, and hosted in association with Perry Johnson Registrars.

It will provide a practical overview of integrating privacy into your existing ISO 27001 ISMS (information security management system) while leveraging the power of ISO 27701 and EuroPrivacy certification.

Discover how ISO 27701 can significantly enhance your privacy practices, align with international privacy standards, and fortify your overall information security framework.

In addition, learn how EuroPrivacy certification, an EDPB-approved certification that demonstrates GDPR compliance, can provide US companies offering services into the EU with an invaluable badge of credibility.