A Tesla employee used his trusted access to the company's network to steal a large amount of highly sensitive data and ship it to unknown third parties.
The incident is the latest reminder — as if any were needed — of the havoc malicious insiders can cause to organizations that don't have the right controls or processes in place for mitigating such risks.
Tesla CEO Elon Musk notified employees Sunday about an employee who had conducted "extensive and damaging sabotage" to the electric carmaker's operations. In an email, Musk described the employee as making changes to Tesla's manufacturing operating system using false usernames and then exporting a large volume of highly sensitive Tesla data to third parties.
As with many such incidents, the employee was apparently disgruntled over his job situation, failing to get a promotion that he thought he deserved. "The full extent of his actions are not yet clear," Musk wrote. "But what he has admitted so far is pretty bad."
The email went on to note Musk's suspicions about there being more to the incident than might be first apparent. Many organizations want Tesla to fail, including short-sellers on Wall Street, oil and gas companies, and big car manufacturers worried abou Tesla advancing the progress of electric cars, Musk noted. "If they're willing to cheat so much about emissions, maybe they're willing to cheat in other ways?" he said.
Tesla is working on finding out whether the employee acted alone or was in cahoots with outside organizations, Musk said.
The Tesla incident is similar to countless other big security incidents involving malicious insiders in recent years. Edward Snowden's 2012 theft and subsequent leaks of classified documents from the National Security Agency (NSA) remains one of the most high-profile examples of insider abuse.
But there are numerous other examples as well. Just this week, former CIA software engineer Joshua Schulte was charged with stealing and leaking more than 8,700 confidential CIA documents. Schulte, who worked in the CIA's National Clandestine Service, abused his user privileges and access to CIA systems to pilfer the data, lock out other users, and delete evidence of his activity.
Going back, in 2016, the FBI arrested former NSA contractor Harold Martin for stealing some 50TB of data — including classified documents — over a staggering 20-year period. In 2015, an in-house banker at Morgan Stanley abused his trusted access to steal records on about 10% of the firms 3.5 million customers.
Others have used their insider status to lock people out of networks, destroy data, and commit trade secret theft on a huge scale. But no matter the action, the threat from such users is broader than many organizations might assume.
According to a recent insider risk survey conducted by Dtex Systems, 60% of organizations had malicious insiders who were actively using anonymous and private browsing to bypass enterprise controls and policies, says CEO Christy Wyatt. Seventy-two percent had malicious insiders who were actively using unauthorized applications like OpenVPN and Wireshark to evade security controls.
Dtex researchers also detected several instances of users escalating or granting administrative privileges to their accounts, granting those privileges to co-workers, and engaging in similar credential misuse activity, Wyatt says.
The Telsa case points to two frightening scenarios involving malicious insiders: exfiltration of valuable IP and the alteration of critical information, says Ken Spinner, vice president of global engineering at Varonis.
"In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees," Spinner says. "Companies are doing and creating, but they're not locking down their data."
Malicious insider actions can be triggered by any number of reasons. But often the reasons are feelings of disgruntlement, retaliation for a perceived wrong, desire for monetary gain, or to gain competitive advantage for oneself or on behalf of someone else.
Many organizations are acutely aware of the threat. In a survey that Haystax Technology conducted last year, 61% of the respondents expressed concern about data breaches resulting from malicious insider actions. Yet responses to the issue have been varied and often held back by concerns over the proprietary nature of implementing rigorous employee threat monitoring and controls.
Cultural and political issues can make it harder to implement effective internal security controls, says Michael Daly, CTO of cybersecurity at Raytheon. So organizations need to convey the true value of monitoring.
"First, insider threat monitoring protects the employees. It safeguards their personal data and prevents damage to the projects that they are working — their own jobs, their intellectual endeavors," he says. "Second, an insider isn't just an employee. An insider is an external threat actor who has made it onto the internal network, using the employees' accounts, pretending to be the employee."
Contrary to what some might believe, dealing with insider threats is not primarily a technology issue but an "acknowledgment of risk issue," adds Raj Ananthanpillai, chairman and CEO of Endera.
Companies that understand the true risks to their businesses and to their brands have the willingness to implement effective workforce evaluation processes, he says. "Businesses that are not willing to acknowledge that they could have insiders capable of creating great risks are doomed to discover this the hard way," Endera adds.
- Former CIA Engineer Charged with Theft and Transmission of Classified Info
- NSA Contractor Over 20 Years Stole More Than 50 Terabytes Of Gov't Data
- Insider Threat Fear Greater Than Ever, Survey Shows
- Insider Threats: Red Flags and Best Practices
Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information