Share this article on:
Electric car manufacturing giant Tesla has said that a data breach that affected thousands of employees earlier this year was caused by insiders.
In a notice issued filed with the Maine Attorney-General on 18 August and issued to Tesla staff, the company announced that two ex-employees were to blame for the data breach that occurred in May, resulting in the personal information of 75,735 individuals being compromised.
The breach was first outed by Handelsblatt, a German publication, which announced that 100 gigabytes worth of data had been stolen and leaked by a “disgruntled former employee” who utilised their position as a service technician to access the data.
Handelsblatt told Tesla that the data included identifiable information, including names, addresses, phone numbers and social security numbers. This data included Elon Musk’s own social security number, according to the publication.
Other data included private email addresses, the salaries of employees, customer bank details and confidential information regarding Tesla production.
In the 18 August notice, Tesla also said that the investigation unveiled the two former Tesla employees behind the breach and found that they had “misappropriated the information in violation of Tesla’s IT security and data protection policies” to access the data, which was then shared with Handelsblatt.
Since identifying the employees, the company has said that it has filed lawsuits against the two employees and seized several devices thought to contain the data. It also obtained court orders that prevent the employees from ever accessing, using or sharing the data.
The Tesla breach in May came quickly after reports that Tesla employees had been sharing customer information and videos and images recorded through car cameras through internal messaging systems.
Reuters reported in April that between 2019 and 2022, “groups” of Tesla staff members shared videos and images recorded by the cameras on customers’ cars, which were at times highly invasive, according to information provided by former employees.
These included crashes, road rage incidents, and embarrassing situations, including a video of a man fully naked.
Reuters reported on one specific video of a child riding a bike in a residential area being hit by a car at high speed.
While Tesla said that “camera recordings remain anonymous and are not linked to you or your vehicle”, according to its Customer Privacy Notice, several ex-employees said that the program they used would show the location of the recordings, allowing them to narrow down where an owner lived.
One ex-staff also said some recordings were made while a car was turned off and parked.
“We could see inside people’s garages and their private properties,” said another.
“Let’s say that a Tesla customer had something in their garage that was distinctive, you know, people would post those kinds of things.”