Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Tesla Employee Steals, Sabotages Company Data

The electric carmaker is the victim of an "extensive and damaging" insider attack, says CEO Elon Musk.

A Tesla employee used his trusted access to the company's network to steal a large amount of highly sensitive data and ship it to unknown third parties.

The incident is the latest reminder — as if any were needed — of the havoc malicious insiders can cause to organizations that don't have the right controls or processes in place for mitigating such risks.

Tesla CEO Elon Musk notified employees Sunday about an employee who had conducted "extensive and damaging sabotage" to the electric carmaker's operations. In an email, Musk described the employee as making changes to Tesla's manufacturing operating system using false usernames and then exporting a large volume of highly sensitive Tesla data to third parties.

As with many such incidents, the employee was apparently disgruntled over his job situation, failing to get a promotion that he thought he deserved. "The full extent of his actions are not yet clear," Musk wrote. "But what he has admitted so far is pretty bad."

The email went on to note Musk's suspicions about there being more to the incident than might be first apparent. Many organizations want Tesla to fail, including short-sellers on Wall Street, oil and gas companies, and big car manufacturers worried abou Tesla advancing the progress of electric cars, Musk noted. "If they're willing to cheat so much about emissions, maybe they're willing to cheat in other ways?" he said.

Tesla is working on finding out whether the employee acted alone or was in cahoots with outside organizations, Musk said.

The Tesla incident is similar to countless other big security incidents involving malicious insiders in recent years. Edward Snowden's 2012 theft and subsequent leaks of classified documents from the National Security Agency (NSA) remains one of the most high-profile examples of insider abuse.

But there are numerous other examples as well. Just this week, former CIA software engineer Joshua Schulte was charged with stealing and leaking more than 8,700 confidential CIA documents. Schulte, who worked in the CIA's National Clandestine Service, abused his user privileges and access to CIA systems to pilfer the data, lock out other users, and delete evidence of his activity.

Going back, in 2016, the FBI arrested former NSA contractor Harold Martin for stealing some 50TB of data — including classified documents — over a staggering 20-year period. In 2015, an in-house banker at Morgan Stanley abused his trusted access to steal records on about 10% of the firms 3.5 million customers.

Others have used their insider status to lock people out of networks, destroy data, and commit trade secret theft on a huge scale. But no matter the action, the threat from such users is broader than many organizations might assume.

According to a recent insider risk survey conducted by Dtex Systems, 60% of organizations had malicious insiders who were actively using anonymous and private browsing to bypass enterprise controls and policies, says CEO Christy Wyatt. Seventy-two percent had malicious insiders who were actively using unauthorized applications like OpenVPN and Wireshark to evade security controls.

Dtex researchers also detected several instances of users escalating or granting administrative privileges to their accounts, granting those privileges to co-workers, and engaging in similar credential misuse activity, Wyatt says.

The Telsa case points to two frightening scenarios involving malicious insiders: exfiltration of valuable IP and the alteration of critical information, says Ken Spinner, vice president of global engineering at Varonis.

"In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees," Spinner says. "Companies are doing and creating, but they're not locking down their data."

Malicious insider actions can be triggered by any number of reasons. But often the reasons are feelings of disgruntlement, retaliation for a perceived wrong, desire for monetary gain, or to gain competitive advantage for oneself or on behalf of someone else.

Many organizations are acutely aware of the threat. In a survey that Haystax Technology conducted last year, 61% of the respondents expressed concern about data breaches resulting from malicious insider actions. Yet responses to the issue have been varied and often held back by concerns over the proprietary nature of implementing rigorous employee threat monitoring and controls.

Cultural and political issues can make it harder to implement effective internal security controls, says Michael Daly, CTO of cybersecurity at Raytheon. So organizations need to convey the true value of monitoring.

"First, insider threat monitoring protects the employees. It safeguards their personal data and prevents damage to the projects that they are working — their own jobs, their intellectual endeavors," he says. "Second, an insider isn't just an employee. An insider is an external threat actor who has made it onto the internal network, using the employees' accounts, pretending to be the employee."

Contrary to what some might believe, dealing with insider threats is not primarily a technology issue but an "acknowledgment of risk issue," adds Raj Ananthanpillai, chairman and CEO of Endera.

Companies that understand the true risks to their businesses and to their brands have the willingness to implement effective workforce evaluation processes, he says. "Businesses that are not willing to acknowledge that they could have insiders capable of creating great risks are doomed to discover this the hard way," Endera adds.

Related Content:


Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/14/2018 | 2:03:34 AM
Re: Insider Threats are REAL
This is what every company fears of. After hiring a certain someone with so much potential, we have hopes for this person to put their best foot forward to contribute towards the growing of the company. However, this particular someone steals from us and sabotages our corporation instead. Is this the way we get rewarded for wanting to give this person an opportunity when we deicided to hire them at the beginning?
User Rank: Apprentice
6/21/2018 | 4:51:10 PM
Re: Insider Threats are REAL
The headline is very misleading. Musk has accused him of this, but so far, hasnt presented any evidence that it happened. At the same time, the police investigated Musks claim this guy said he would shoot the place up, and found it to be unbelievable. Likely, Musk made that up. The headline should either say that Musk accuses employee of doing this, or write it with a question mark, indicating that you dont know if its true. Considering all of the times Musk has spoken falsehoods, hes the last person I would believe in a dispute.
User Rank: Apprentice
6/20/2018 | 1:25:11 PM
Insider Threats are REAL
These types of threats are real and growing daily, and what we need to keep in mind is no matter how big a company we/you are, and no matter how mature your data governance, policies, and procedures are, there's always going to be a handful of employees who find a way around the gates.  Threats like this will only continue to grow as malicious users are finding new ways to circumvent the traditional perimeter security that's in place, and utilize new tools that, we the average consumer, can pull down from anywhere.  No matter how hard we try we can't stop everyone, but we can prepare ourselves by having the right technology in place to retrace these attackers steps to take a more proactive stance on Cybersecurity.  More importantly is that we continue to educate employees, and all trusted partners and vendors so that when an outside attacker is trying to get in, they're educated enough to know what to do in order to keep the company safe.  
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.