Tesla, the electric carmaker, has been hit by a major data leak, according to German newspaper Handelsblatt.
The leak, which a whistleblower disclosed, includes 100 gigabytes of confidential data and reveals the company’s failure to protect customer, employee, and business partner information adequately.
The leaked data set, labelled ‘Tesla Files,’ contains tables with over 100,000 names of current and former employees, including Tesla CEO Elon Musk’s social security number, as well as private email addresses, phone numbers, employee salaries, customer bank details, and secret production information.
The breach potentially violates the General Data Protection Regulation (GDPR).
The data protection office in Brandenburg, where Tesla’s European Giga factory is located, described the leak as ‘massive.’ If Tesla is found guilty of such a violation, it could face fines of up to 4% of its annual sales, amounting to €3.26 billion ($3.5 billion).
The leaked files also revealed numerous customer complaints about Tesla’s driver assistance programs. Around 4,000 complaints were reported regarding sudden acceleration and phantom braking.
The German union IG Metall expressed concern over the revelations and called on Tesla to inform its employees about data protection violations and foster a culture where staff can openly raise concerns.
Tesla responded to the leak by stating that a ‘disgruntled former employee’ with service technician access was responsible, and the company intends to take legal action against the suspected individual.
The data protection watchdog in the Netherlands, where Tesla’s European headquarters is located, acknowledged the potential data protection breaches and stated they were looking into the matter.
This incident follows a recent Reuters report that revealed Tesla employees had privately shared invasive videos and images recorded by customers’ car cameras between 2019 and 2022.
Facebook’s parent company, Meta, also faced a record €1.2 billion fine from its lead EU privacy regulator this week over its mishandling of user information. It was given five months to halt the transfer of user data to the US.