Tesla Employee Sabotage and What We Can Learn From It

The employee sabotage that Tesla has recently faced is a nightmare for many organizations and security officers. Not only a disgruntled employee has stolen sensitive information and trade secrets but he has also directly changed the code of the operating system used by the company. This situation, of course, raises the questions of how this employee got access to a privileged account and what organizations can do to prevent employee sabotage.

Late Evening Email from CEO

On June 17, 2018, Elon Musk, CEO of Tesla, informed the company staff about an internal threat carried out by an unnamed employee. According to his email, one of Tesla employees used a false username to make unspecified code changes to the Tesla Manufacturing Operating System and transmit the company’s sensitive data to third parties.

Though the name of a suspected person was not mentioned in the email, Elon Musk informed that the possible reason for sabotage was that the employee expected to get a promotion but didn’t receive it. Tesla has recently had a massive layoff due to reorganization, which also could prompt the employee to commit sabotage.

The email was followed by an internal investigation to find out whether the employee committed the sabotage alone or worked in cooperation with someone else. Elon Musk told Reuters that there are many companies who want Tesla to die, including oil and gas businesses, rival car companies, as well as Wall Street short-sellers. This sabotage could negatively affect Tesla’s plans to ramp up production of Tesla Model 3s up to 5,000 per week by the end of the quarter.

What Investigation Reveals

After the internal investigation was over, Tesla sued its former employee Martin Tripp who worked at the Gigafactory as a process technician from October last year till the beginning of June and was disgruntled over a lost promotion.

Tripp allegedly wrote a malicious code and used it to infect computers of three employees to routinely export confidential data after he left the company. Tesla also indicted him for his attempts to recruit other company’s employees to assist him in stealing data.

Currently, Tripp denies his involvement in the sabotage and is raising funds to face the electric car maker in court. At the same time, Tesla is looking for an Intrusion Detection Security Engineer, who should ensure the safety of the company’s sensitive data.

Are Insider Threats So Real?

Unfortunately, the employee sabotage at Tesla is just one more example of insider threats that many organizations are suffering from with ever-increasing frequency.  For instance, CIA has also become a victim of malicious insider Joshua Schulte who abused his privileged access to steal nearly 9,000 confidential documents. In 2015, Morgan Stanley reported about a data breach conducted by its in-house banker who stole records of 10 percent of the bank’s clients.

According to the 2018 Data Breach Investigations Report by Verizon, nearly half of all breaches were conducted by malicious insiders who abused their privileges. In addition, another survey among the US organizations revealed that 80% of internal attacks were performed during work hours on company-issued software.

How Organizations Can Protect Themselves

Tesla insider sabotage could be prevented if the company had more carefully developed its insider threat protection program. Protecting an organization’s assets from malicious insiders requires the detection of suspicious employee activity and the establishment of the principle of least privilege.

Modern user activity monitoring solutions can record all actions of employees and notify security officers about any kind of suspicious activity: from visited websites to used applications to connected devices. Software like this uses predefined or custom sets of criteria in order to distinguish malicious activity and allow security personnel to quickly examine suspicious actions in its original context. It’s useful not only for detection, but also to conduct investigations, allowing to learn what exactly was done, and how perpetrator managed to do it.

Access control is another vector for protection. While all employees have access to the corporate network, it’s necessary to follow the principle of least privilege. This principle allows eliminating access to sensitive data for employees who don’t need it for performing their responsibilities. Thus, by using change logs and setting up approval for critical asset changes, you can protect your code and resources from any illegitimate access. However, the implementation of this principle requires organizations to constantly re-examine its permissions structure and enter necessary limitations.

Moreover, by monitoring the activity of privileged users, organizations can detect when employees install suspicious software or use accounts of other employees. Monitoring should also cover the activity of system administrators or other privileged users who have permissions to create new accounts. Account creation and authorization should be handled by a centralized group who will confirm all requests.

In case of insider threat detection, a solution for employee monitoring will provide you with an opportunity to obtain reports and log data for further forensic investigation.

Conclusion

Tesla employee sabotage is one more case that outlines the importance of monitoring employee activity by organizations. Even the largest companies are at risk of suffering from disgruntled employees. Though it’s not easy to detect malicious insiders, having the right monitoring tools in place will provide you with more abilities to protect your company’s critical assets and trade secrets.