Lawsuit claims Tesla corp data security is far less advanced than its cars

An ex-Tesla staffer has filed a proposed class action lawsuit that blames poor access control at the carmaker for a data leak, weeks after Tesla itself sued the alleged leakers, two former employees.

Benson Pai, who was a production associate on Tesla's California campus, working on the construction and assembly of the electric car company's vehicles, said the leak was a "direct result" of poor security controls on Tesla's part. The suit, filed on Tuesday, claims the personally identifiable info of 75,000 current and former employees could be sold on the dark web because of the company's "inadequate data security."

Pai, who is looking to front the people whose data was stolen, claimed [PDF] in the filing that Tesla:

The sueball comes weeks after Tesla said in a data breach filing with the state of Maine* that it had itself sued two former employees whom it accused of stealing 75k staffers' records – including, supposedly, Elon Musk's own social security number (SSN).

As The Reg has mentioned before, many class action lawsuits are launched on the premise that SSNs are something of a security fraud goldmine. Possession of only a person's SSN, name, and address, for example, means criminals can take out a credit card or loan in the victim's name. They can use it to obtain medical care (and rack up bills) under the person's identity, or identify themselves using the purloined SSN when arrested – giving the victim a criminal record. Elon Musk, at least, would have a name recognizable enough to potentially swerve that fate.

Tesla discovered the breach in May, when notified by German business paper Handelsblatt [paywalled], which gave details on the data it believed was included in the breach. The publication said it went well beyond just that of Tesla staffers – and allegedly included info from customers and business partners.

The Handelsblatt story said that the company had failed to adequately protect the 100 gigabytes of confidential data handed to it by a whistleblower, which it assured Tesla it was legally forbidden from publishing. Tesla is also reportedly under investigation by Euro data protection authorities over the leak.

• Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
• The Anti Defamation League is Musk's latest excuse for Twitter's tanking ad revenue
• Tesla's purported hands-free 'Elon mode' raises regulator's blood pressure
• Silicon Valley billionaires secretly buy up land for new California city

The complaint claims the car manufacturer took too long to inform affected data leak victims, accusing it, among other things, of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, breach of confidence and violation of the California Unfair Competition Law.

Pai claimed in the suit that waiting until August to inform class members increased the risk of fraud.

The filing also said the "unencrypted, unredacted information" could be sold on the dark web "at a price ranging from $40 to $200," noting that SSNs "are especially valuable to identity thieves."

When Tesla notified employees, it offered a year's membership of Experian's IdentityWorks monitoring services to members whose social security numbers were leaked. The complaint called the offer "wholly inadequate" as it "fails to account for the fact that victims of data breaches and other unauthorized disclosures commonly face multiple years of ongoing identity theft, and financial fraud, and it entirely fails to provide sufficient compensation for the unauthorized release and disclosure of Plaintiff's and Class members' Sensitive Information."

The suit seeks damages and costs, not disclosed in the complaint but more than $5 million.

We've asked Tesla for comment. ®

*Maine state law has a data breach notification statute on the books requiring businesses who buy and sell to its residents to notify affected parties "as expediently as possible and without unreasonable delay." It's triggered when someone breaks into an org's computer system (or helps themselves if admins have left things public facing) and personal information is acquired, released, or "used without authorization." It's why you'll see a lot of disclosures turning up there first.