This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Tesla

Summary

Tesla filed a notice of data breach with the Attorney General of Maine on 18 August 2023 after discovering that sensitive information belonging to more than 75,000 current and former employees was leaked by two former Tesla employees to German media outlet Handelsblatt. The investigation revealed that the two former employees misappropriated over 100 gigabytes of data containing 23,000 internal documents spanning from 2015 to 2022, violating Tesla's IT security and data protection policies. Tesla filed lawsuits and obtained court orders prohibiting the former employees from further use or dissemination of the data.

What Happened

On 10 May 2023, Handelsblatt informed Tesla that it had obtained Tesla confidential information. Tesla immediately launched an investigation, which revealed that two former Tesla employees had misappropriated company information in violation of Tesla's IT security and data protection policies and shared it with the media outlet.

The former employees leaked more than 100 gigabytes of data to Handelsblatt. The data contained 23,000 internal documents spanning from 2015 to 2022. The leaked information included employee personal data as well as customer complaints about Tesla's Full Self-Driving technology and vehicle safety issues.

Tesla filed lawsuits against the two former employees, which led to the seizure of electronic devices believed to have contained company information. The company obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties.

Impact on Individuals

More than 75,000 current and former Tesla employees were affected by the breach. The compromised data potentially included:

  • Names
  • Physical addresses
  • Phone numbers
  • Email addresses
  • Employment records
  • Salary information

The exposure of employment and salary information represents a significant privacy violation for affected employees. Such information could be used for targeted social engineering attacks, identity theft, or cause embarrassment if comparative salary information becomes known to colleagues or competitors.

The fact that the data spanned from 2015 to 2022 meant that many former employees who had moved on to other careers were unexpectedly caught up in the breach and had to be notified years after leaving Tesla.

Organisational Response

Tesla took immediate action upon learning of the leak, filing lawsuits against the two former employees responsible and obtaining court orders to prevent further dissemination of the stolen data. The company worked with law enforcement to seize electronic devices containing company information.

Tesla notified over 75,000 affected current and former employees in accordance with data breach notification requirements. The company filed formal notices with state attorneys general as required by law.

Tesla's lawsuits against the two former employees resulted in court orders prohibiting them from further use, access, or dissemination of Tesla data, with violations subject to criminal penalties. The legal action demonstrates Tesla's aggressive approach to pursuing insiders who misappropriate company data.

The incident highlighted the significant risks posed by insider threats, particularly from departing employees who may have access to large volumes of sensitive data and the technical knowledge to exfiltrate it before leaving the organisation.

Verification Source: View original statement