Data Breach: What Tesla’s Biggest Insider Threat in 2023 Can Teach Us Going Into 2024

In 2023, Tesla experienced its biggest insider threat of the year in May, announcing that it had suffered a massive data breach, marking what is possibly the biggest breach in the company’s history, with __over 75,000 employees __and former employees having personally identifiable information (PII) leaked.

According to the reports which dubbed the stolen data as “The Tesla Files”, the 100 GB leak included:

• Employees’ personal information like their names, addresses, phone numbers, and Social Security numbers
• Customer bank details
• Production secrets
• Customer complaints about Tesla’s Full Self-Driving (FSD) features

Even CEO Elon Musk reportedly had his Social Security number leaked.

We have since learned that there were two culprits behind the breach: two former Tesla employees who sent the massive data dump to the German newspaper Handelsblatt.

The good news for Tesla is that the outlet has announced that they will not be publishing the contents of the leak. As a journalistic organization, especially in Germany, Handelsblatt could find itself in hot water for publishing peoples’ PII. However, the publisher did note the fact that the leaks included complaints about safety issues with the vehicles, which could still cause Tesla a fair amount of grief as writing about these issues could easily fall in the “public interest” bucket for journalists.

The bad news is that the company may still be on the hook for $3.3 billion in fines due to data privacy violations under GDPR.

While the leak is interesting in itself for reasons of scale and the high profile target, in this article, we are going to look at the role that fostering loyalty with employees can play in helping to tamper with the desire of employees to want to turn against their organizations.

But first, let's take a look at Tesla’s history of dealing with insider threats.

Tesla's History of Insider Threat Incidents

This is not the first time that Tesla found itself in the headlines in terms of an insider threat incident. In fact, the company has a mixed bag when it comes to its history of insider threat incidents over the years.

In 2018, Musk announced that a malicious employee had conducted "extensive and damaging sabotage" to the company, exfiltrating large quantities of data and making changes to their systems.

The employee reportedly was angry over not receiving the promotion that they thought they thought was coming to them and decided to make their displeasure known through less than pleasant means.

On the other side of the scale, in 2020, an employee alerted the company that he had been approached by an old acquaintance who tried to bribe him into helping carry out a ransomware attack. Thanks to the employee’s warning, Tesla was able to thwart the attack, and the ransomware crew member was arrested.

In both cases, we see the potential damage a malicious insider can cause to their organization and frankly how easy it can be for them to be successful.

Why are Insider Threats so Difficult to Stop?

Insider threats are one of the hardest for organizations to defend against because they are legitimate users who are already inside your systems.

Unlike outsiders who need to steal/phish/buy credentials and then defeat MFA, an insider is a real user inside your organization who can act totally normally until the moment that they do not.\

This means no indicators of compromise and no leaked credentials showing up on “Have I been Pwned.” You often will not detect it until the damage has been done.

An additional factor is the fact that many insider threats are not actually malicious. While they cause real harm with their leaks, they act unintentionally through mistakes and general negligence. According to the Verizon Data Breach Investigations Report for 2023, carelessness was the cause of 98% of errors that led to a data breach.

This difficulty in detection has led many organizations to look for ways to head off incidents before they happen, looking at strategies for prevention. This is where the question of motivation and loyalty comes into play.

Negative Impactors on Employee Loyalty

Year after year, the number one motivator for insider threat incidents is financial gain.

You know, good old-fashioned greed.

And yet, the seed that leads to the betrayal is planted long before an employee decides to take the more drastic steps of stealing or harming your data.

Looking at the Verizon Data Breach Investigations Report for 2023, researchers found that 89% of privilege misuse cases were financially motivated, followed by a “grudge” at 13%.

So, what leads to that grudge?

According to Jacques Y. Kassa’s 2021 thesis “Modeling the Relationship Between Loyalty and Insider Threat” at the Naval Postgraduate School in Monterey, CA, depression, hopelessness, frustration, disgruntlement, and anger are all emotional factors that play into insider threats.

Not a groundbreaking insight but we also know that organizations do not invest enough effort in checking in with employees to see how they are feeling about their place in the organization.

Kassa writes that motivators like ideology, vengeance, retribution, espionage, and activism are more frequent in government organizations than in the civilian sectors. Perhaps in the case of Tesla, there may have been a desire to share some of the safety data with the public, though there is a question of whether this is activism or retribution.

There are, however, a couple of factors to watch out for.

Underpaid and Underappreciated

Being well compensated for your work is the top motivator for basically every employee. Better than extra snacks or company activities, employees need to feel that they are appreciated for their work, and commensurate compensation is a clear indicator of that recognition and respect.

Feeling Part of the Team

During the pandemic, one of the struggles faced by organizations was in employees maintaining a sense of being on the team. Going remote meant not strengthening the in-person, informal bonds that can make a person feel comradery with their co-workers and deter them from wanting to cause them harm.

After all, if these are just people that you see on Zoom calls and email chains, what do you owe them if a better opportunity comes along?

This has primarily been a problem for retention, but it can also impact motivations for someone turning malicious.

Mass Layoffs and the Great Resignation

We are at a cultural moment that is frankly different from where we were five or ten years ago.

Uncertainty in the job market is a constant, with organizations laying off large quantities of workers in massive waves. Big players like Amazon have cut 27,000 workers in the past year, while Microsoft has laid off over 10,000 people.

This has led to the justified feeling among many that their companies are not loyal to them. So why should they show loyalty back? Why not take some customer data or valuable IP before you get shown the door if it might give you a leg up at your next job?

Combine this uncertainty with the Great Resignation that saw workers leave jobs that they may have put up with for something better. Maybe they found a better location, something totally remote, or having other good conditions that they decided to seek greener pastures elsewhere.

Many simply looked around and saw that plenty of others were leaving their jobs, so why not them, too?

3 Tips for Reducing Insider Threat Risk

Given the ways that employee loyalty can be diminished, how can organizations improve the positive feelings that their employees have and reduce their risk of an insider threat incident?

Here are a few suggestions.

Provide an Outlet for Frustration or Concerns

Beyond the need to feel appreciated, people need to feel that they have a place to turn to when something is bothering them at work.

A question any company, especially a manufacturer, should ask is whether employees have a place to go where they can voice ethical concerns in-house and see that they are handled with due seriousness.

If workers do not have an internal channel for dealing with concerns, then they may seek options elsewhere.

Invest in Education and Training

There’s an interesting question about when it comes to accidental insider-caused incidents. On the one hand, they do not actively choose to harm their employer since the case is unintentional. However, on the other hand, a lack of interest in following the guidelines due to a lack of a strong commitment to their organization probably plays a role in these incidents occurring.

Dealing with the non-malicious actors requires fewer sticks and more carrots to get results. Training and education can play a critical role here in preventing incidents.

The advantages here can be two-fold. Learning the proper protocols for handling sensitive data and systems teaches them how to do the job correctly and safely. It also gives them a sense of ownership.

When your organization invests time and resources into training them how to be better at their job and protect the organization, then chances increase that they will try to implement what they learn in the courses.

Encourage but Verify with User Behavioral Analytics

Even as we work to increase the level of trust with employees, we need to implement measures to verify that folks are on their best behavior.

This means putting in place User Behavioral Analytics tools for continuously monitoring behavior in order to establish a baseline of activity. Once we understand how people normally interact with the systems that they are entitled to work with and think about which applications, data sets, etc they interact with regularly, then we can detect when they begin to act anomalously.

Most insider threat cases follow similar patterns in that they have threat actors abuse their privileges and find ways to exfiltrate their pilfered data. By monitoring sensitive files, we can see who is accessing them and potentially who is stepping outside the lines and needs to be followed up with.

Loyalty is Earned, Not a Given

One note for clarification. Companies are not families. They hire, fire, downsize, and work in their own self-interest. Most of us do not fire our family members, even if we want to sometimes.

Employees have the same right to leave an organization if they feel that their own needs are not being met. Having loyalty to a company does not mean that someone should stay if they are not happy.

What it does mean is that if the organization acts properly, then it will engender enough goodwill to keep employees on the ethical and legal path of not stealing their data or seeking to cause them harm.

And that may count for enough to help diffuse and prevent a potential incident.