04:50 PM
Connect Directly

Tesla Employee Steals, Sabotages Company Data

The electric carmaker is the victim of an "extensive and damaging" insider attack, says CEO Elon Musk.

A Tesla employee used his trusted access to the company's network to steal a large amount of highly sensitive data and ship it to unknown third parties.

The incident is the latest reminder — as if any were needed — of the havoc malicious insiders can cause to organizations that don't have the right controls or processes in place for mitigating such risks.

Tesla CEO Elon Musk notified employees Sunday about an employee who had conducted "extensive and damaging sabotage" to the electric carmaker's operations. In an email, Musk described the employee as making changes to Tesla's manufacturing operating system using false usernames and then exporting a large volume of highly sensitive Tesla data to third parties.

As with many such incidents, the employee was apparently disgruntled over his job situation, failing to get a promotion that he thought he deserved. "The full extent of his actions are not yet clear," Musk wrote. "But what he has admitted so far is pretty bad."

The email went on to note Musk's suspicions about there being more to the incident than might be first apparent. Many organizations want Tesla to fail, including short-sellers on Wall Street, oil and gas companies, and big car manufacturers worried abou Tesla advancing the progress of electric cars, Musk noted. "If they're willing to cheat so much about emissions, maybe they're willing to cheat in other ways?" he said.

Tesla is working on finding out whether the employee acted alone or was in cahoots with outside organizations, Musk said.

The Tesla incident is similar to countless other big security incidents involving malicious insiders in recent years. Edward Snowden's 2012 theft and subsequent leaks of classified documents from the National Security Agency (NSA) remains one of the most high-profile examples of insider abuse.

But there are numerous other examples as well. Just this week, former CIA software engineer Joshua Schulte was charged with stealing and leaking more than 8,700 confidential CIA documents. Schulte, who worked in the CIA's National Clandestine Service, abused his user privileges and access to CIA systems to pilfer the data, lock out other users, and delete evidence of his activity.

Going back, in 2016, the FBI arrested former NSA contractor Harold Martin for stealing some 50TB of data — including classified documents — over a staggering 20-year period. In 2015, an in-house banker at Morgan Stanley abused his trusted access to steal records on about 10% of the firms 3.5 million customers.

Others have used their insider status to lock people out of networks, destroy data, and commit trade secret theft on a huge scale. But no matter the action, the threat from such users is broader than many organizations might assume.

According to a recent insider risk survey conducted by Dtex Systems, 60% of organizations had malicious insiders who were actively using anonymous and private browsing to bypass enterprise controls and policies, says CEO Christy Wyatt. Seventy-two percent had malicious insiders who were actively using unauthorized applications like OpenVPN and Wireshark to evade security controls.

Dtex researchers also detected several instances of users escalating or granting administrative privileges to their accounts, granting those privileges to co-workers, and engaging in similar credential misuse activity, Wyatt says.

The Telsa case points to two frightening scenarios involving malicious insiders: exfiltration of valuable IP and the alteration of critical information, says Ken Spinner, vice president of global engineering at Varonis.

"In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees," Spinner says. "Companies are doing and creating, but they're not locking down their data."

Malicious insider actions can be triggered by any number of reasons. But often the reasons are feelings of disgruntlement, retaliation for a perceived wrong, desire for monetary gain, or to gain competitive advantage for oneself or on behalf of someone else.

Many organizations are acutely aware of the threat. In a survey that Haystax Technology conducted last year, 61% of the respondents expressed concern about data breaches resulting from malicious insider actions. Yet responses to the issue have been varied and often held back by concerns over the proprietary nature of implementing rigorous employee threat monitoring and controls.

Cultural and political issues can make it harder to implement effective internal security controls, says Michael Daly, CTO of cybersecurity at Raytheon. So organizations need to convey the true value of monitoring.

"First, insider threat monitoring protects the employees. It safeguards their personal data and prevents damage to the projects that they are working — their own jobs, their intellectual endeavors," he says. "Second, an insider isn't just an employee. An insider is an external threat actor who has made it onto the internal network, using the employees' accounts, pretending to be the employee."

Contrary to what some might believe, dealing with insider threats is not primarily a technology issue but an "acknowledgment of risk issue," adds Raj Ananthanpillai, chairman and CEO of Endera.

Companies that understand the true risks to their businesses and to their brands have the willingness to implement effective workforce evaluation processes, he says. "Businesses that are not willing to acknowledge that they could have insiders capable of creating great risks are doomed to discover this the hard way," Endera adds.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/14/2018 | 2:03:34 AM
Re: Insider Threats are REAL
This is what every company fears of. After hiring a certain someone with so much potential, we have hopes for this person to put their best foot forward to contribute towards the growing of the company. However, this particular someone steals from us and sabotages our corporation instead. Is this the way we get rewarded for wanting to give this person an opportunity when we deicided to hire them at the beginning?
User Rank: Apprentice
6/21/2018 | 4:51:10 PM
Re: Insider Threats are REAL
The headline is very misleading. Musk has accused him of this, but so far, hasnt presented any evidence that it happened. At the same time, the police investigated Musks claim this guy said he would shoot the place up, and found it to be unbelievable. Likely, Musk made that up. The headline should either say that Musk accuses employee of doing this, or write it with a question mark, indicating that you dont know if its true. Considering all of the times Musk has spoken falsehoods, hes the last person I would believe in a dispute.
User Rank: Apprentice
6/20/2018 | 1:25:11 PM
Insider Threats are REAL
These types of threats are real and growing daily, and what we need to keep in mind is no matter how big a company we/you are, and no matter how mature your data governance, policies, and procedures are, there's always going to be a handful of employees who find a way around the gates.  Threats like this will only continue to grow as malicious users are finding new ways to circumvent the traditional perimeter security that's in place, and utilize new tools that, we the average consumer, can pull down from anywhere.  No matter how hard we try we can't stop everyone, but we can prepare ourselves by having the right technology in place to retrace these attackers steps to take a more proactive stance on Cybersecurity.  More importantly is that we continue to educate employees, and all trusted partners and vendors so that when an outside attacker is trying to get in, they're educated enough to know what to do in order to keep the company safe.  
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.