Tesla filed a lawsuit against a former employee this week after it learned he made changes to company source code and exported gigabytes of proprietary data to unknown third parties.
Tesla CEO and business magnate Elon Musk learned a tough lesson this weekend: The insider threat remains a legitimate security threat for organizations.
Musk said late Sunday in an email to Tesla employees he had learned an employee of the company “conducted quite extensive and damaging sabotage” to its operations. According to CNBC, which received a copy of the email and corroborated its veracity, the employee managed to create false usernames in order to make direct changes to the Tesla Manufacturing Operating System’s (MOS) source code. The malicious insider also managed to export large amounts of highly sensitive data to unknown third parties.
In a lawsuit filed by Tesla on Wednesday in Nevada, the company alleged the employee, Martin Tripp, wrote code to periodically export gigabytes of Tesla’s data, including dozens of confidential photographs and a video of Tesla’s manufacturing systems.
According to the suit Tripp also funnelled data on Tesla’s financials, the process for manufacturing batteries for its Model 3 luxury vehicle, and the amount of scrap and raw materials used at the battery factory, outside of the organization.
The complaint says Tripp admitted last week to writing the software but to add insult to injury the software was running on three additional computer systems belonging to Tesla employees “so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties.”
Tripp was hired last October and employed at the company’s Nevada Gigafactory, a/k/a GF1, for the past eight months as a process technician. The lithium-ion battery factory, located outside Sparks, a suburb of Reno, produces batteries, assembled battery packs, motors, and drive units for the company’s cars.
Tesla believes Tripp was triggered to steal the information last month, on or about May 17, after he was reassigned to an undisclosed new role. According to the suit Tripp “expressed anger” that he had been reassigned; Tesla posits the theft of the data came as retaliation.
Investigators with the company interviewed the employee last Thursday and Friday. After he denied any wrongdoing, Tesla confronted Tripp with evidence of the contrary. It was then that he admitted to stealing confidential and proprietary data, and said he was attempting to recruit additional sources inside the company to assist him in stealing data.
It’s uncertain – beyond the photos and video named in the lawsuit – just how much additional data Tripp may have taken from Tesla’s systems. The company, in hopes of protecting its trade secrets, has ordered the court to inspect any computers, USB storage devices, email accounts, and any cloud-based accounts Tripp may run.
Tesla alleges that Tripp not only breached the company’s Proprietary Information Agreement – a document the former employee signed in October promising he wouldn’t disclose, use, or publish any of the company’s data – but also the Nevada Computer Crimes Law, in exfiltrating the data.
While the full scope of the employee’s sabotage is still being investigated it’s likely the case, Tesla, Inc. v. Tripp, could become a prime example of the dangers of the insider threat.
Verizon’s 2018 Data Breach Investigations Report (DBIR) – which regularly catalogues threats like ransomware and security incidents – pointed out earlier this year that nearly half of the breaches its analysts came across, 40 percent, were perpetrated by internal actors and involved privilege misuse. A report on insider threat trends via PwC earlier this year showed that 80 percent of attacks were committed during work hours on company issued software. 10 percent of those attacks were carried out for revenge purposes.
At this point it’s unclear whether Tesla had an effective insider threat program in place, something designed to anticipate and address behaviour by risky insiders before the damage is done.
This article was originally published by our technology partner, Digital Guardian here.