Tesla’s data breach in May, which affected more than 75,000 people, was an inside job, the company said in a notice released to its customers on Friday. According to the notice, German news outlet Handelsblatt informed Tesla of the breach on May 10 after obtaining the confidential information.
An investigation into the data breach “revealed that two former Tesla employees had misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet,” Steven Elentukh, Tesla’s data privacy officer, wrote in the notice.
It further stated that the company filed two lawsuits prohibiting anyone from sharing the information, prompting Handelsblatt to confirm it won’t publish the information now that it is “legally prohibited from using it inappropriately.”
Tesla said it has seized the former employees’ electronic devices believed to be used in the data breach and could still contain the information. Tesla added that it “also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties. Tesla cooperated with law enforcement and external forensics experts and will continue to take appropriate steps as necessary.”
The data breach included current and former employees’ Social Security numbers, names, addresses, phone numbers, and/or email addresses. Handelsblatt reported the information amounted to roughly 100 gigabytes of confidential data. A spokesperson for the Netherlands data protection watchdog told CNN in May: “We are aware of the Handelsblatt story and we are looking into it.”
Handelsblatt obtained more than 23,000 internal documents, calling them the “Tesla Files.” The data also reportedly contained 2,400 self-acceleration issue reports, and 1,500 reports of brake issues, including 383 false collision warnings and phantom stops, Business Insider reported.
Tesla said in the notice that it hasn’t detected any misuse of the leaked data, but “cooperated with law enforcement and external forensics experts and will continue to take appropriate steps as necessary.”
The company recommends that anyone who suspects their data was included in the leak take steps to protect their Social Security information by ordering a credit report, placing a fraud alert, and restricting their credit report by filing a security freeze with the Credit Bureau.
Elentukh did not immediately respond to Gizmodo’s request for comment.