Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Tesla Employee Steals, Sabotages Company Data

The electric carmaker is the victim of an "extensive and damaging" insider attack, says CEO Elon Musk.

A Tesla employee used his trusted access to the company's network to steal a large amount of highly sensitive data and ship it to unknown third parties.

The incident is the latest reminder — as if any were needed — of the havoc malicious insiders can cause to organizations that don't have the right controls or processes in place for mitigating such risks.

Tesla CEO Elon Musk notified employees Sunday about an employee who had conducted "extensive and damaging sabotage" to the electric carmaker's operations. In an email, Musk described the employee as making changes to Tesla's manufacturing operating system using false usernames and then exporting a large volume of highly sensitive Tesla data to third parties.

As with many such incidents, the employee was apparently disgruntled over his job situation, failing to get a promotion that he thought he deserved. "The full extent of his actions are not yet clear," Musk wrote. "But what he has admitted so far is pretty bad."

The email went on to note Musk's suspicions about there being more to the incident than might be first apparent. Many organizations want Tesla to fail, including short-sellers on Wall Street, oil and gas companies, and big car manufacturers worried abou Tesla advancing the progress of electric cars, Musk noted. "If they're willing to cheat so much about emissions, maybe they're willing to cheat in other ways?" he said.

Tesla is working on finding out whether the employee acted alone or was in cahoots with outside organizations, Musk said.

The Tesla incident is similar to countless other big security incidents involving malicious insiders in recent years. Edward Snowden's 2012 theft and subsequent leaks of classified documents from the National Security Agency (NSA) remains one of the most high-profile examples of insider abuse.

But there are numerous other examples as well. Just this week, former CIA software engineer Joshua Schulte was charged with stealing and leaking more than 8,700 confidential CIA documents. Schulte, who worked in the CIA's National Clandestine Service, abused his user privileges and access to CIA systems to pilfer the data, lock out other users, and delete evidence of his activity.

Going back, in 2016, the FBI arrested former NSA contractor Harold Martin for stealing some 50TB of data — including classified documents — over a staggering 20-year period. In 2015, an in-house banker at Morgan Stanley abused his trusted access to steal records on about 10% of the firms 3.5 million customers.

Others have used their insider status to lock people out of networks, destroy data, and commit trade secret theft on a huge scale. But no matter the action, the threat from such users is broader than many organizations might assume.

According to a recent insider risk survey conducted by Dtex Systems, 60% of organizations had malicious insiders who were actively using anonymous and private browsing to bypass enterprise controls and policies, says CEO Christy Wyatt. Seventy-two percent had malicious insiders who were actively using unauthorized applications like OpenVPN and Wireshark to evade security controls.

Dtex researchers also detected several instances of users escalating or granting administrative privileges to their accounts, granting those privileges to co-workers, and engaging in similar credential misuse activity, Wyatt says.

The Telsa case points to two frightening scenarios involving malicious insiders: exfiltration of valuable IP and the alteration of critical information, says Ken Spinner, vice president of global engineering at Varonis.

"In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees," Spinner says. "Companies are doing and creating, but they're not locking down their data."

Malicious insider actions can be triggered by any number of reasons. But often the reasons are feelings of disgruntlement, retaliation for a perceived wrong, desire for monetary gain, or to gain competitive advantage for oneself or on behalf of someone else.

Many organizations are acutely aware of the threat. In a survey that Haystax Technology conducted last year, 61% of the respondents expressed concern about data breaches resulting from malicious insider actions. Yet responses to the issue have been varied and often held back by concerns over the proprietary nature of implementing rigorous employee threat monitoring and controls.

Cultural and political issues can make it harder to implement effective internal security controls, says Michael Daly, CTO of cybersecurity at Raytheon. So organizations need to convey the true value of monitoring.

"First, insider threat monitoring protects the employees. It safeguards their personal data and prevents damage to the projects that they are working — their own jobs, their intellectual endeavors," he says. "Second, an insider isn't just an employee. An insider is an external threat actor who has made it onto the internal network, using the employees' accounts, pretending to be the employee."

Contrary to what some might believe, dealing with insider threats is not primarily a technology issue but an "acknowledgment of risk issue," adds Raj Ananthanpillai, chairman and CEO of Endera.

Companies that understand the true risks to their businesses and to their brands have the willingness to implement effective workforce evaluation processes, he says. "Businesses that are not willing to acknowledge that they could have insiders capable of creating great risks are doomed to discover this the hard way," Endera adds.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/14/2018 | 2:03:34 AM
Re: Insider Threats are REAL
This is what every company fears of. After hiring a certain someone with so much potential, we have hopes for this person to put their best foot forward to contribute towards the growing of the company. However, this particular someone steals from us and sabotages our corporation instead. Is this the way we get rewarded for wanting to give this person an opportunity when we deicided to hire them at the beginning?
User Rank: Apprentice
6/21/2018 | 4:51:10 PM
Re: Insider Threats are REAL
The headline is very misleading. Musk has accused him of this, but so far, hasnt presented any evidence that it happened. At the same time, the police investigated Musks claim this guy said he would shoot the place up, and found it to be unbelievable. Likely, Musk made that up. The headline should either say that Musk accuses employee of doing this, or write it with a question mark, indicating that you dont know if its true. Considering all of the times Musk has spoken falsehoods, hes the last person I would believe in a dispute.
User Rank: Apprentice
6/20/2018 | 1:25:11 PM
Insider Threats are REAL
These types of threats are real and growing daily, and what we need to keep in mind is no matter how big a company we/you are, and no matter how mature your data governance, policies, and procedures are, there's always going to be a handful of employees who find a way around the gates.  Threats like this will only continue to grow as malicious users are finding new ways to circumvent the traditional perimeter security that's in place, and utilize new tools that, we the average consumer, can pull down from anywhere.  No matter how hard we try we can't stop everyone, but we can prepare ourselves by having the right technology in place to retrace these attackers steps to take a more proactive stance on Cybersecurity.  More importantly is that we continue to educate employees, and all trusted partners and vendors so that when an outside attacker is trying to get in, they're educated enough to know what to do in order to keep the company safe.  
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
PUBLISHED: 2021-04-15
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
PUBLISHED: 2021-04-15
Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.
PUBLISHED: 2021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...