Tesla has acknowledged a data breach affecting around 75,000 individuals, but the incident is the result of a whistleblower leak rather than a malicious attack.
The company informed US authorities that a data breach found in May exposed the personal information, including social security numbers, of over 75,700 people.
According to a notice letter issued to those affected, the data breach is the result of two former workers sending private data to the German news publication Handelsblatt. Tesla stated that the former employees "misappropriated the information in violation of Tesla's IT security and data protection policies."
The leaked data includes names, contact information, and employment-related details for current and previous employees. Individuals affected are being offered credit monitoring and identity protection services.
The leak was discovered in May when Handelsblatt claimed that a whistleblower had given it 100 Gb of private Tesla data. According to the publication, Tesla did not effectively protect the data of its partners, customers, and employees.
The 'Tesla Files', which were leaked, apparently contained information on over 100,000 current and former employees, bank account information for customers, trade secrets for production, and customer concerns about driver assistance systems. The car maker has been reassured by Handelsblatt that it has no plans to publish the whistleblower's personal information.
Given the circumstances of the incident, the chances of the exposed data being misused are minimal, with Tesla likely commencing the data breach disclosure process owing to legal constraints.
Tesla has filed litigation against the employees responsible for the data breach, whose lawyer labelled the leaker as a "disgruntled former employee" when the leak was discovered.
“These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information. Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties,” the car manufacturer noted in its recent breach notification.