According to a report by CNN Business on August 19, Tesla’s previous large-scale data breach exposed the personal information of more than 75,000 people, which was the result of “internal wrongdoing.”
Tesla stated in a notice to employees that the leaked "Tesla files" contained 100GB of confidential data, including employee names, addresses, mobile phone numbers, and email addresses. The notice has been shared with the Maine Attorney General’s Office. The leaked data also includes about 2,400 customer complaints about sudden acceleration of Teslas, and another 1,500 complaints about braking problems.
In May this year, Handelsblatt reported that Tesla failed to adequately protect the data of customers, employees and business partners, resulting in leaks and received thousands of customer complaints about the company's driver assistance systems. The amount of leaked information and data amounted to 100G. The data included the information of more than 100,000 former and current employees, and even included the social security number of Tesla CEO Musk.
Tesla discovered through investigation that this information was illegally obtained and leaked to the media by two former employees of the company. More than 75,000 people were affected in this incident. Tesla also said that the company has filed lawsuits against the two former employees and is committed to protecting personal information.
In July 2023, the research institution Upstream released the "H1'2023 Automotive Cyber Trend Report". As more in-vehicle components are enabled and managed by software, new vulnerabilities continue to emerge. These vulnerabilities provide threat actors with new attack methods to obtain sensitive consumer and manufacturer data, access vehicle controls, and even steal vehicles.
The report focuses on cybersecurity threats and development trends in the automotive industry in the first half of 2023. An analysis of nearly 1,300 automotive cybersecurity incidents between 2010 and 2023 found that 30% of these incidents included potential data breach impacts, targeting original equipment manufacturers and other automotive stakeholders. In the first half of 2023, data breaches in the automotive industry are on the rise, accounting for 37% of the total automotive security incidents.
The breach of data privacy poses huge risks to both OEMs and consumers:
- Customer data privacy - Software-defined vehicles (SDV) collect a large amount of sensitive customer data, including personally identifiable information (PII), billing information, location data, etc., and are subject to various data protection regulations (such as GDPR and CCPA). Data breaches can lead to customer identity theft, financial fraud and hefty regulatory fines (fines under the GDPR can be up to 4% of revenue).
- Intellectual property (IP) theft – Intrusions into intellectual property (such as source code or infrastructure) can lead to counterfeit products, lost revenue, and the discovery of vulnerabilities in vehicles and corporate backend systems.
- Vehicle Security and Theft - SDV data is more detailed than ever. Exposed customer and OEM data can be sold on the deep and dark web and used to develop tools to steal vehicles, compromising vehicle security.
- Brand reputation and trust – Data breaches can damage an OEM’s reputation, erode customer trust, even lead to legal action, and negatively impact sales and market share.
In December 2022, a leak occurred in NIO. The leaked data included: customer privacy, employee data, order data, car owner ID card, user address, car owner emergency contact, car owner loan data and other private information.
In response to the data leak, NIO issued a statement in December 2022, confirming that some basic user information and vehicle sales information had been stolen before August 2021, and apologized for this. Li Bin, the founder, chairman and CEO of NIO, also publicly issued an apology statement on social media, promising to take responsibility for user losses caused by the data breach.
In response to the risk of data leakage by automobile companies, in August 2021, my country's Ministry of Industry and Information Technology issued the "Opinions on Strengthening the Access Management of Intelligent Connected Vehicle Manufacturing Enterprises and Products", which clearly requires companies to establish and improve automobile data security management systems. Perform data security protection obligations in accordance with the law, and specify the responsible department and person in charge. Establish a data asset management ledger, implement data classification and hierarchical management, and strengthen the protection of personal information and important data. Establish data security protection technical measures to ensure that data is continuously effectively protected and legally used, and implement data security risk assessment, data security incident reporting and other requirements in accordance with laws and regulations.
Reference links:
[1]https://www.cnn.com/2023/08/19/business/tesla-data-breach-employee-personal-info/index.html
[2]https://upstream.auto/reports/h1-2023-automotive-cyber-trend-report/
[3]https://app.nio.com/app/web/v2/share_comment?id=2284166&type=essay
[4]https://www.gov.cn/zhengce/zhengceku/2021-08/12/content_5630912.htm