2023-08-20 18:53:39
Düsseldorf The US electric car manufacturer Tesla has informed the Attorney General in the US state of Maine about a large-scale data leak. A total of 75,735 people are said to be involved in a statement from the company on the agency’s website. Tesla also began teaching those affected personally on Friday.
“We are writing to inform you of an incident affecting your data,” it says in the letter from Tesla’s privacy officer. The company wants to ensure that those affected are informed about the incident and the “measures taken” by Tesla. At the same time, the electric car maker makes it clear: Tesla “found no evidence of misuse of the data in a way that could harm you.”
The background is the reporting on the Tesla files. Insiders had leaked more than 100 gigabytes of data from the heart of the company to the Handelsblatt. The more than 23,000 files contain a lot of personal information such as salaries, private addresses, passport and social security numbers.
According to the informants, the data was poorly protected and easily accessible. That is why European data protection authorities are also dealing with the case. In the letter that has now been published, Tesla accuses two ex-employees of violating internal “security and data protection guidelines” and passing on the data.
The company only warned its investors about the consequences at the end of July. Tesla named the data leak in its quarterly report to the US Securities and Exchange Commission in a series of investigations by the US Department of Justice. An “adverse development” could result in a “material adverse impact” — namely with respect to Tesla’s “business, our results of operations, our prospects, our cash flow, our financial condition or our brand”.
Concerns about identity theft worries employees
Employees should also be warned. Tesla announced in its letter to those affected that the company would support them with “a free membership to Experian’s IdentityWorks.” This offers them “credit monitoring, identity detection and resolution services”.
The background is the problem of identity theft, which is particularly well-known in the USA. Social security numbers, including those of company boss Elon Musk, are among the data that insiders said were poorly protected. For cyber hackers, they are the ideal tools to cause great damage.
It often takes victims months to recover their stolen identity. However, when strangers have placed orders and taken out loans on their behalf, the damage is often irreparable. The credit rating, which is important in the USA, may remain a mess – it is crucial for the assessment of the customer, for example by banks before buying a house.
Anyone who now believes they have “been a victim of identity theft” should report this to the authorities immediately, writes Tesla’s data protection officer in his letter to those affected. He also urges them to also review the “identity theft prevention resources” provided by the US Trade Commission.
Since when did Tesla know?
It is surprising that Tesla states that the company only discovered the data leak in May. The Handelsblatt began contacting customers and employees in February. At least one claims to have contacted the company. In a post on the LinkedIn social network, the ex-team leader from the Grünheide factory in Brandenburg was annoyed that he had “not heard a word from Tesla” afterwards.
On May 10, the Handelsblatt also confronted Tesla. The company did not respond to the questions. Instead, a corporate lawyer asked the editors in a letter to send the data back and then delete it. According to them, Tesla only informed the European data protection officers three days later.
The head of the authority in Brandenburg, Dagmar Hartge, forwarded the case to the Dutch data protection officers in The Hague because Tesla’s European headquarters are in Amsterdam. Hartge was amazed by the size of the data leak at the US company: “I can’t remember such a dimension in my time.”
For the authorities, the exact chronological sequence of knowledge about the data outflow is relevant. The General Data Protection Regulation (GDPR) requires a company to inform the supervisory authority “without undue delay and if possible within 72 hours” after becoming aware of a personal data breach.
Lawsuits against two ex-employees
The GDPR can issue warnings or impose fines in cases of insufficient data protection and late reporting of violations. The latter can amount to up to four percent of group sales. With Tesla’s annual sales of just under $81.5 billion, that would be up to $3.26 billion.
In late May, Tesla also informed its employees that a former employee had “abused” their access to “inappropriately copy information from the network” and share it with “an external EU media organization.” Tesla is currently investigating “whether other people could have been involved”.
Also read about the Tesla files:
In the meantime, the company apparently assumes that two employees have passed on information. Lawsuits have resulted in the seizure of electronic devices believed to contain the data, Tesla said in its letter. The company also obtained injunctions prohibiting the two individuals from “further use, access, or dissemination of the data.”
Why Tesla waited until now to also alert American authorities is unclear. Likewise, whether Tesla has informed authorities in other US states. The company initially left a request from the Handelsblatt on Sunday unanswered.
More: Ex-employee claims Tesla warned early on about data leaks.
#Tesla #files #employ #Attorney #General