Tag Archives: data breach

Tesla Says Data Breach Impacting 75,000 Employees Was An Insider Job

Security,

Tesla has said that insider wrongdoing was to blame for a data breach affecting more than 75,000 company employees, TechCrunch reported.

Tesla, the electric car maker owned by Elon Musk, said in a data breach notice filed with Maine’s attorney general that an investigation had found that two former employees leaked more than 75,000 individuals’ personal information to a foreign media company.

“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with a media outlet,” Steven Elentukh, Tesla’s data privacy officer, wrote in the notice.

According to TechCrunch, this information includes personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees.

Tesla said two former employees had shared the data with German newspaper Handelsblatt. The outlet assured Tesla that it wouldn’t publish the information and that it is “legally prohibited from using it inappropriately,” according to the notice.

The publication obtained more than 23,000 internal documents, dubbed the “Tesla Files,” containing 100 gigabytes of confidential data. This included employees’ personal information, customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features.

According to Handelsblatt, Musk’s Social Security number was also included in the leak.

The Verge reported that, according to a filing with the state of Maine’s attorney general office, Tesla’s data privacy officer Steven Elentukh, reported the breach as “insider wrongdoing,” leaking employee information including social security numbers.

The Maine filing includes a template letter by Elentukh written to send to affected employees in the state. It confirms that Handelsblatt, the German media outlet recipient of 100GB of Tesla’s data, had notified Tesla on May 10th that it had received confidential information.

According to The Verge, what Handelsblatt did let out was customer complaints about Tesla’s Full Self-Driving (FSD). It found that the automaker’s advanced driver-assistant system, which aims to achieve autonomous city driving capability, had 2,400 self-acceleration issues and more than 1,500 braking problems reported by customers. The occurrences spanned between 2015 and March 2022. Tesla demanded that Handelsblatt delete the data, according to the news outlet.

The Verge also reported that this isn’t the first time Tesla employees have mishandled internal data. In April, it was reported that workers viewed and shared private videos recorded by customers’ Teslas, which are made from the vehicles’ Sentry Mode security systems.

Personally, I think this entire situation is a gigantic mess. It appears that the two employees who sent personal information about the other employees to a German news site not only shouldn’t have done that, but also should face some kind of reprimand for what they did. The other sketchy part of this story is that some Tesla employees appear to enjoy spying on Tesla owners through videos the vehicle creates.

Info From Dozens Of Companies Compromised By CLOP

Hacker, ,

More victims have emerged of a Russian-speaking cybercrime group whose recent spree includes stealing information from several federal U.S. agencies, NBC News reported.

The BBC, Shell, Johns Hopkins Health System, British Airways, the state of Illinois, and the department of motor vehicles of Oregon and Louisiana all appear to have had their files stolen, according to various news releases.

The group, CLOP, is an established ransomware group, a type of organized cybercrime where hackers try to remotely extort victims by either remotely encrypting their data or stealing and threatening to publish files.

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that advises the nation on cyberattacks and helps protect federal networks, said that multiple agencies had been affected by CLOP’s recent spree. Only the Department of Energy has said so far that it is a victim.

According to NBC News, CLOP appears to have struck gold by identifying a flaw in MOVEIt, a computer program designed to help companies transfer files. Organizations using an outdated version of MOVEIt are susceptible to an attack where CLOP can scoop up files.

The Guardian reported that personal details of every holder of a driver’s license from the U.S state of Louisiana were exposed to hackers who have pulled off a colossal cyber-attack that also affected American federal agencies, British Airways and the BBC, according to officials.

A statement on Thursday from the governor of Louisiana, John Bel Edwards, said that his staff believes everyone with a driver’s license, identification card or car registration issued by the state of more than 4.6 million residents probably had their names, addresses, and social security numbers exposed to the hackers.

Other personal information to which the cyber-attackers apparently were Louisianans’ driver’s license numbers, vehicle registration data, handicap placard information, birthdates, heights and eye colors, Edward’s statement said.

The number of records involved is thought to be about 6 million, Louisiana’s homeland security and emergency preparedness director Casey Tingle, told reporters Friday.

According to The Guardian, British Airways last week confirmed that its staffers’ names, addresses, national insurance numbers and banking details were exposed because its payroll provider Zellis used MOVEIt. The BBC said its staff had also been afflicted because Zellis was its payroll provider, though the broad caster added that it did not believe banking details were compromised. The UK’s beauty and health companyBoots said some of its team members’ information was also stolen.

CNN reported that hundreds of organizations across the globe have likely had their data exposed after the hackers used the flaw to break into networks in recent weeks. Multiple US federal agencies, including the Department of Energy, were breached. The US Office of Personnel Management was also impacted by the sweeping hack, multiple sources told CNN on Friday.

In my opinion, now would be a good time for companies organizations who use MOVEIt to stop using it. Find a more secure way to manage sensitive data by putting it in a place where it cannot be easily accessed by ne’er-do-wells.