Two former Tesla employees have been blamed for leaking the personal data of tens of thousands of current and former employees to a German newspaper earlier this year.
The incident was disclosed in a data breach notification to Maine regulators on Aug. 18, and the electric carmaker said the leak ultimately resulted in the exposure of personal data for 75,735 people.
Tesla data privacy officer Steven Elentukh said they first learned of the exposure on May 10 when journalists from German news outlet Handelsblatt contacted the company to inform them that they had obtained “Tesla confidential information.” That kicked off an internal investigation within the company, which identified the employees as the source.
According to the notice, the German outlet — governed by strict data privacy laws like GDPR — does not intend to publish the leaked data.
“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet,” wrote Elentukh. “The outlet has stated that it does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately.”
Tesla also said it filed lawsuits against two of the employees to get access to their electronic devices that “were believed” to store the stolen data and obtained court orders preventing the duo from using or accessing the information. The company also said it contacted law enforcement and worked with external forensics experts to investigate the incident.
The stolen data includes names, addresses, phone numbers and email addresses for current and former employees.
The notice does not provide further details on when the two former employees departed the company, under what circumstances they departed or whether they continued to have access to company systems or data after leaving. Tesla did not return a request for comment.
The threat of exposure by company insiders
The incident highlights the increasing role that insiders — current or former employees who expose their company’s systems or data accidentally, for money or revenge — play in organizational threat models as security teams focus on threats from external hackers.
According to a survey published earlier this year from Cybersecurity Insiders and Gurucul, more than half of respondents said they had experienced an insider threat in the past year, while nearly three-out-of-four said such incidents have become more frequent over the past year, and their organization is at least “moderately vulnerable or worse” to a similar attack.
In addition to incurring lawsuits and regulatory scrutiny, security incidents carried out by insiders can lead to the loss of highly sensitive proprietary data and cause significant damage to a company’s brand.
Lior Yaari, CEO and co-founder of Grip Security, said the proliferation of cloud-based applications and lack of inventorying at most companies makes it difficult to set the kind of security controls that can give organizations peace of mind that they’re no longer accessible by former employees.
“It is actually more common than people think to have former employees’ access to systems remain active after they have left the company,” Yaari said.
It’s not the first time Tesla has faced the prospect of an employee going rogue: in 2020 a Tesla employee reportedly declined a request from a Russian national to install malware on corporate machines in exchange for $1 million.
Two years before that, the company filed suit against another employee they accused of conducting “sabotage” by altering code used in internal products and exfiltrating data to outsiders. The former employee told news outlets his work amounted to whistleblowing.