What we know about the recent Tesla breach

Tesla alleges that an employee made changes to its Manufacturing Operating System (MOS), wrote malicious code intended to periodically export confidential company data, and installed it on the computers of three unsuspecting colleagues. This code successfully exported a large amount of data - including video and photos of manufacturing operations and proprietary code - to unknown third parties.

The aftermath of breaches can last months or years

There is an ongoing investigation to assess the full extent of damage and the cleanup costs are still unknown. Whether or not the data was manipulated, and the exact recipients and use of the data are still being determined. It appears that he was working alone, but it’s also yet to be determined if anyone was aware of his plans or if he was working directly with any outside organizations. As with any data breach, Tesla will need to be on guard for several ongoing repercussions:

Brand damage: The saboteur’s claims were about sacrifices on quality and safety from the manufacturing side. Confirmed or not, this will place doubt in consumer minds. This is bad press and the investigation and lawsuit could keep it front and center for weeks, or even months.
Becoming a target: The public has now been made aware that Tesla did not have strong enough security measures in place to protect itself from intentional inside attacks. This increases the risk for additional outside or inside threats, especially with the public eye on the company.
GDPR: It doesn’t appear that any EU customer data was involved. However, IF this were the case, Tesla could be faced with millions in fines by the authorities that regulate the GDPR. The world is waiting to see who will be the first poster child for the new GDPR fines.

Insider threat visibility is necessary to any organization

Reveal Cloud detects and prevents both unintentional and intentional threats to an organization. In this instance of malicious intent, there were several triggers that would have raised an alarm if the solution had been in place.

Falsified identity: Reveal would have requested MFA if there was anything unusual about the login activity of the saboteur’s three framed colleagues. This helps prove if the user is actually who they claim to be.
Unusual activity: Our machine learning creates a baseline of an individual’s typical behavior, as well as a comparison against their peers and the whole company. If making changes to the MOS was not in the job description of the user, their access would have been identified as abnormal based on the typical behaviors established for that role and peer group. These baselines would have also determined there was suspicious code running in the background of the machines, regardless of the network or physical location.
Data exfiltration: Unusual quantities of data – in this case gigabytes – being uploaded from monitored devices would also trigger an alarm within the platform. When connections are made to suspicious-looking locations, MFA is triggered. Machine isolation or lock is also used when risk appears severe.

In Musk’s email to employees, he stated the employee was disgruntled because he was passed up for a promotion. There are many personnel events – such as resignations, team changes, performance improvement plans – that can prompt harmful behavior. Reveal (in particular the power search function enables clear visibility across employees to protect the company, without having to sort through data logs. Even seemingly harmless behavior like copying company documents to a personal drive in preparation for a departure will be captured, as well as the file names affected. In the case of a Personally Identifiable Information (PII) breach, this greatly increases the likelihood of being able to decipher the breach and alert the affected parties within 72 hours, the deadline now imposed by the GDPR.