Tesla confidential files exposed – how could this happen?

Two Tesla engineers have now been able to move confidential corporate files to their personal accounts. What is going on?

Engineer Alex Khatilov has been ordered to appear before a judge to face allegations that, three days into his job at Tesla, he uploaded more than 6,000 confidential scripts into his personal Drobox account. Khatilov claims that, after he was hired on December 28, Tesla sent him a file containing information for new hires and, without being advised that the use of Dropbox was prohibited, he transferred the file to his personal cloud account to use later on his personal devices. The court will determine whether this was an honest mistake on the part of the employee.

In July 2019, a former Tesla engineer admitted to having uploaded files related to the manufacturer’s Autopilot system to his personal iCloud account.

18 months on from the first ruling, Tesla seems to have learnt no lessons and taken none of the steps that would have prevented this second data leak happening. In this second case, Tesla has stated that it doesn’t even know whether the information Khatilov uploaded to Dropbox was moved on to any further locations or whether the leak has been contained.

Paolo Passeri, cyber intelligence principle at Netskope, comments: “The way people work has changed. Driven by the increasing use of cloud services and mobile devices, people now expect to be able to work at any time, from any place, and on any device. Whether accidental or malicious, the risk of employees moving data outside of the old perimeter of an organisation is established, and organisations need a data security strategy which enables them to gain the benefits of cloud applications without incurring undue risk.”

With cloud adoption now entirely mainstream for both enterprise and personal use, data exfiltration of confidential information via cloud services is all too easy. However, adds Passeri, it is equally easily preventable in three simple steps:

Proactively govern cloud use by monitoring users’ activities – regardless of whether they are accessing cloud services from a mobile or desktop app. “Data protection legislation makes it clear that it is an organisation’s responsibility to ensure it has visibility of where data goes and how it is used. A CASB solution provides this insight,” he points out.

The next step following visibility is control. “Tesla could have prevented data exfiltration from managed devices to any cloud service or website, either by preventing any access to specific services it deemed risky and inappropriate or by applying granular controls to documents that trigger system alarms for sensitive data.

For this to be effective, the data protection system needs to understand context within data.” With many cloud services used for both personal and corporate instances (Dropbox is a prime example) Tesla, and organisations like it, can enforce different policies for personal and corporate instances of the same cloud services. “It is perfectly possible to use appropriate security systems to,” Passeri concludes – “for instance, prevent the upload of regulated information to any Dropbox, except the corporate- IT-led instance of Dropbox.”