Photo: Tesla/Markus Spiske/edited by autoevolution
It took Tesla quite a while to address the episode known as Tesla Files. If that does not ring a bell to you, the German newspaper Handelsblatt gave the world a demonstration of journalism at its finest: it exposed how the battery electric vehicle (BEV) maker does not protect data from customers and employees as it should. Anyone with access to Tesla's Toolbox internal messaging system could check anything they wanted, including Elon Musk's social security number. The company is now trying to say the two former employees it identified as being the bad guys instead of the whistleblowers they genuinely are.
As the German newspaper clarified back in May, it had several sources that were just fed up with trying to warn Tesla about how badly it handled confidential information. It included its workers' personal information, customers' financial data, and even industrial secrets, such as the Cybertruck. The way they found to expose the whole thing and prevent bad people from using that data was to contact Handelsblatt and give the German newspaper everything they had managed to obtain.
Tesla contacted the office of the Maine Attorney General and notified it of the data breach, which it said happened on May 10, 2023. That's not correct: the BEV maker only had the confirmation of the data leak on that date because Handelsblatt contacted the company to warn it about everything it had. The German newspaper has worked on the case for more than six months, so the data breach actually happened much earlier. How hasn't Tesla discovered it before being notified by Handelsblatt? How much more data has been retrieved from Tesla's systems, and the company has no idea?
The BEV maker said that the two former employees "misappropriated the information in violation of Tesla's IT security and data protection policies." That brings up two other crucial questions about the whole thing. Which IT security, when it only realized sensitive data was with someone else after being told about it by Handelsblatt? What are Tesla's data protection policies, particularly after so many episodes of mishandling it?
Photo: PLC.ua
The most recent example came from a totaled Tesla Model X that belonged to CNBC executive editor Jay Yarow. The story that revealed the case did not elaborate on who crashed the electric SUV, only that it happened by the end of last year. Yarow noticed that the vehicle went back online in Ukraine on August 10 and that the new owner was listening to Drake on his Spotify account. The BEV maker advocates always blame customers in similar situations claiming they should have erased the vehicle from their Tesla accounts. If the car worked, that would be a possibility, but what about something that people eventually expect to be fixed? Why erase a vehicle that you are waiting to be repaired until you learn the insurance company decided to write it off?
There are several other episodes of Tesla mishandling personal data. Last April, Reuters revealed that former Tesla employees shared customers' private videos on Mattermost, Tesla's internal messaging system. The company is being sued due to that issue. On May 3, 2020, the white-hat hacker GreenTheOnly told me how Tesla dealt with old computers that had to be replaced in its vehicles. The company threw them in garbage cans with lots of information from previous owners untouched. GreenTheOnly bought some of these computers, and I could talk to some of them. They were shocked and concerned to receive my calls. Some even refused to discuss the situation with me. As usual, company investors tried to downplay the situation as trivial – and will keep doing so until a reporter gets in touch or their private data is used in a scam.
According to the letter Tesla is sending to affected employees and customers, it "filed lawsuits against the two former employees. These lawsuits resulted in the seizure of the former employees' electronic devices that were believed to have contained the Tesla information. Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties." It just did not mention if they applied for whistleblower protection or where these guys live.
Photo: Tesla/Karl Hansen/edited by autoevolution
Again, without these former employees, customers and employees would probably ignore how exposed they were. If anyone at Tesla can access their files, how sure can they be that no con artist, fraudster, or any other person with evil intentions will not use their data in harmful ways?
On December 13, 2021, Anthony Solima allegedly shot and killed Lee Brasier with a .223-caliber short-barreled AR-15 at the Fremont factory parking lot. Solima was arrested, and I have not heard back if he was convicted or absolved of the crime. In August 2018, Karl Hansen accused Tesla of failing to disclose to shareholders that authorities had uncovered drug-dealing efforts at the Gigafactory in Nevada. Hansen is still fighting Tesla in court. The company has been accused several times of doing nothing to prevent racism or sexual harassment at its premises. All these folks were free to check any information on Tesla's Toolbox and Jira systems until Handelsblatt revealed how poorly personal data is treated there. It would be interesting to learn how Tesla solved that, but it does not talk to the press – and it makes increasingly more sense.
Here's an unusual situation. I had a Tesla, crashed it, it was totaled. And now it's ... in Ukraine? And someone there is listening to Drake on my, still logged in, Spotify account. pic.twitter.com/ymW2psyvz6
Google News