That stolen truck must be a really large one...
On May 3, InsideEVs first told you about a Tesla data leak. It was not caused by a cyber attack but rather by the way Tesla disposed of replaced computers from its own cars. On May 14, a Tesla customer told us the company was blaming a stolen truck for the computers that were found for sale on eBay. We asked Tesla from where and when the truck was taken, but did not hear back from the company. Now we've learned that some European customers are also finding data from their replaced computers for sale online.
GreenTheOnly, the white hat hacker who first told us about this story, discovered used ICEs and MCUs were also for sale in Europe (check our Glossary of Tesla Computer Terms below). These computers were for sale on websites for as little as €80, or $91 USD under the current exchange rate. He bought "a pile" of them. It turns out that there are affected clients in many different countries.
The Customers Involved We Contacted (There Are Way More)
InsideEVs managed to contact five people whose personal data were found on these replaced Tesla computers. Of these five, only one did not get back to us despite many attempts on Facebook, WhatsApp, and email messages.
LS lives in Austria and had the computer in his car replaced on December 2, 2019, at the Wals Tesla Service Center.
The other four are from the Netherlands, Belgium, and the UK. According to them, Tesla did not get in touch to warn them about the data leak. Most of them decided to remain anonymous apart from Daniel DiBattista, the owner of a Tesla Model 3 Long Range AWD. His car had an issue with his radio back at the beginning of the year. His ICE was replaced on February 13, 2020.
“My FM radio wasn`t working, so Tesla replaced the whole computer – a bit stupid because the small FM module is in the back of the car. After three weeks, they replaced that FM module anyway.”
DiBattista now wants to talk to Tesla about the issue. He said he would contact Tesla to get the situation sorted, but wants some sort of compensation for having to delete passwords, warn the people in his contact list of the problem, and, most of all, for having all that private data exposed.
DiBattista bought his car probably due to his son, who also owns a Tesla: a Model S. DT's son recently had the MCU issue, but he did not replace the computer. Fortunately, he knew professionals who can change only the defective EMMC card.
Another customer from Belgium is RM. At first, the computer seemed to indicate another owner, JG, but this person lives in France. He told us he never owned a Tesla but that his brother-in-law did have one. That was RM. That proves the data leak does not expose only the car owner, but everyone in their contact lists as well, including their families.
“I confirm my Tesla central unit was changed by the end of last year in Zaventem. Scary… Nobody reached out from Tesla. I will reach out to them. We changed all our passwords on your recommendation. The thing is I do not even know who to contact at Tesla. This is a leased company car that I have. I don’t know if they have been informed. I have not. I’d like Tesla to acknowledge and react appropriately and not just ignore things.”
The last European customer we talked to so far is JW, from the UK.
“This is a bit alarming, to be honest. At first, I thought it might be a phishing email or something, but your email account checks out and I can see you have written those articles.”
JW had his computer replaced on January 23, 2020, at the Heathrow Tesla Service Center. He did not use apps in his car, but he had wifi passwords in the old computer.
“I assumed the old computer would be sent back to the Netherlands or the USA to either have further diagnosis performed on it or to be refurbished. I did think of asking if I could have it, but I thought it unlikely they would give it to me. Tesla has not contacted me at all to warn me that my old computer was ‘lost.’”
What does the company have to say about this?
Shortly after we published our first article, around the middle of May, Tesla released the 2020.16.2.1 update. Among other things, it encrypts personal data on Tesla computers, but not in all cases, according to our hacker friend Mr. Green.
“Some cars are now encrypted. I don't know how many, but mine is still not. There were multiple reports on Twitter of people seeing the ‘now encrypting’ screen but at least on my car the encryption was not yet triggered.”
In the ones that are, how does the encryption work? Is it enough?
“The encryption is not perfect but it's decent enough that most people won't be able to break it easily. Also, I think it allows a complete wipe of PII in case of a factory reset now – but I didn’t verify that theory.”
What gets the encryption to work? We'd ask Tesla, but we are still waiting for the company to address numerous questions we've already asked and have been waiting on for answers, especially regarding the people who performed computer retrofits before the update.
We've been in touch with the owners we contacted since we began working on the first article. One of the affected customers received this email message from Tesla:
"We are writing to inform you of an isolated incident that may affect the personal information of a small number of customers, including you. Although we are not aware of any misuse of your data, we are providing this notice to ensure that you are aware of what happened, the measures we have taken, and some recommended steps you may take to better protect against possible misuse of your personal information, should you feel it appropriate to do so.
Tesla car computers are removed and replaced for customers upgrading to Full Self-Driving (https://tesla.com/support/full-self-driving-computer…). On April 16, 2020, Tesla identified a small number of car computers were improperly removed from Tesla's facility without authorization. We immediately took steps to secure the locations where such computer units are stored and promptly began an investigation into the issue. We determined that this unauthorized action took place before the computer units were able to undergo Tesla's standard procedure for secure remanufacturing or disposal, inadvertently exposing some personal information to an unauthorized third party. We do not have any evidence that your information was used or further disclosed. Please note that this was limited to information contained within the car computer, and it did not affect any other information systems.
What Information Was Involved
We conducted a comprehensive review of the personal information contained within the car computer unit. The types of personal information that may have been impacted include: your first and last name, third party vehicle application login details (username and password), sync'd calendar event details, phone contacts, web browser history, saved addresses in maps, navigation history, and media player history. No customer financial or payment information was impacted.
What We Are Doing
The confidentiality, privacy, and security of personal information is a top priority. As soon as we discovered this isolated incident, we took the measures referenced above, and no other computer units are known to be impacted. We have notified law enforcement who is working in an effort to secure the return of the units back to Tesla for proper disposal. Additionally, we have also further enhanced the remanufacturing and disposal procedure of the replaced computer units to prevent similar activity.
What You Can Do
While we have no evidence to believe that your personal information has been misused, for your protection and in an abundance of caution, we have reset your Tesla Account, and we encourage you to change your password for any other accounts on which you used the same or similar password for any vehicle applications such as Google, Spotify, Slacker, Netflix, etc. Additionally, be cautious of any unsolicited communications that ask or refer you to a website asking for your personal information.
Tesla Data Protection Office"
We have no idea how many people received this message nor when it was sent. If you are among the contacted clients, let us know more about your story. We also want to find out what a "small number of customers" means. For the record, Mr. Green is still getting computers in the U.S.
European Data Protection Board
Since some of the people we contacted said they were getting in touch with authorities to report the data leak, we also contacted the European Data Protection Board to see if it was in charge of any sort of measure. This is what EDPB told us:
“Enforcement lies with the national supervisory authorities. EU data subjects who fear their data protection rights might have been violated in this particular instance can log a complaint with their national supervisory authority, which can investigate the matter.”
That said, if you have performed a computer retrofit in Europe, you already know who to contact besides Tesla to get this clarified. Change the passwords you use in your Tesla, warn the people in your contact list about the leak, and pay careful attention to unusual activities with your data.