By Erika Koutroumpa,
In late May, Brandenburg, a German newspaper, claimed that Tesla suffered from a data breach where 100 GB of sensitive personal information of customers, employees and business partners got leaked by a whistleblower. In the alleged leaked file, one could find the contact information of both former and current employees, information about salaries, information on clients’ bank accounts and classified details from the production of the cars.
A data breach is a security incident resulting in a breach of confidentiality, availability, or integrity. More specifically, it is when confidential, sensitive, or protected information is exposed to an unauthorized person because of weaknesses in technology or user behaviour. It can threaten an individual’s rights and freedoms, and the reputation of a company can majorly be impacted as well. Although it usually is assumed that this is a result of hacker activity, this crime has multiple causes, from being an accident to lost or stolen devices through malicious means such as phishing and malware. If there is malicious intent, a pattern can generally be observed: the hacker aims at the victim’s weak points by either directly targeting the network or getting gullible insiders to download malware.
Citing the intel from the leaked Tesla file, the newspaper claimed that thousands of customers have complained about the carmaker’s driver assistance systems, with around 4000 complaints of sudden acceleration or phantom braking. The AI program for automated driving heavily relies on pictures and videos from car cameras, since they are used for its training, including tasks such as recognition of pedestrians and street signs. A Reuters report from April of the same year revealed employee group chats using Tesla’s internal messaging system showing highly invasive videos and images recorded by customer car cameras between 2019 and 2020. Although Tesla states in the “Customer Privacy Notice” that camera recordings remain anonymous, former employees revealed to Reuters that the computer program used for looking at camera footage shows the location of recordings. As a result, employees had access to images from clients’ private properties and houses. In 2016 the National Highway Traffic Safety Administration had to clarify to users that they were allowed to publicize safety issues after the company required car owners to sign an NDA to get their Model S repaired.
Based on the EU guidelines, the company must notify the supervisory authority without undue delay, within 72 hours after having become aware of the breach. If the breach does pose a high risk to specific individuals, then they should be informed as well, unless effective technical and organizational protection measures are in place. In Tesla’s case, the company should have informed the supervisory authority of the breach and, as it includes sensitive data, such as addresses of clients and contact information of the employees, individuals from both groups need to be informed as well. Hence, if this report is true, it would be a major violation of the GDPR, where the company would have to pay a fine of up to 4% of its annual sales, tallying up to 3.26 billion euro. In Brandenburg, where the automotive giant’s factory is located, the data protection office described the leak as “massive”, handing the case to the Dutch authorities, where Tesla has its European headquarters.
This begs the question; How can companies avoid data breaches?
First off, it is essential to update software as soon as options are available, as well as to buy new devices when the software of the current one is no longer supported by the manufacturer. Furthermore, in professional settings, it is pivotal to require all devices to use business-grade VPN and antivirus protection to avoid being found by hackers and to limit the effects of malware. Lastly and most importantly, it is essential to enforce strong credentials and multi-factor authentication and to educate employees on best security practices because prevention is the best way to tackle the issue.
To conclude, should the revelations of the watchdog be true, then Tesla would be once again under hot water for mishandling personal data. Data breaches of such high-profile companies create a reputation of unreliableness but also pose a threat to the security of related individuals. Hence, why it is highly important to invest in the proper technology, while also being honest in the way that customers’ data is being handled regardless of data compromise and doing the utmost to protect it.
References
-
“Report: ‘massive’ Tesla leak reveals data breaches, thousands of safety complaints”, Guardian staff and agency, theguardian.com. Available here
-
“Dutch watchdog looking into alleged Tesla data breach”, Riham Alkousaa, Toby Sterling, reuters.com. Available here
-
“Singleton Schreiber: Tesla Data Breach Exposes Serious Safety Hazards”, Brett Schreiber, prnewswire.com. Available here
-
“What is a data breach and what do we have to do in case of a data breach?” European Commission website. commission.europa.eu. Available here
-
“How data breaches happen”, kaspersky.com. Available here
