This week, we discuss “insider wrongdoing” at Tesla, a data breach affecting 2.6 million Duolingo users and the conclusion of a two-month court case against members of the Lapsus$ gang.
Also available on Spotify, Amazon Music, Apple Podcasts and SoundCloud.
Transcript:
Hello and welcome to the IT Governance podcast for Friday, 25 August 2023. Here’s the news:
A data breach at Tesla, which affected 75,735 people and saw sensitive company data compromised, was caused by two former employees, the electric car maker has said.
In a data breach notice filed with Maine’s attorney general, Tesla’s data privacy officer, Steven Elentukh, said its investigation into the incident “revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies” and shared it with Handelsblatt, a German media company.
Handelsblatt reported in May that insiders had leaked 100 gigabytes of data from Tesla’s IT system.
According to TechCrunch, the compromised Tesla data obtained by Handelsblatt included “personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees” – including Elon Musk’s own Social Security number – as well as “customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features.”
Tesla says it “immediately took steps to contain the incident” and “filed lawsuits against the two former employees” which “resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information.”
It also notes that Handelsblatt “has stated that it does not intend to publish the personal information, and in any event, is legally prohibited from using it inappropriately.”
The two former Tesla employees are also subject to court orders that prohibit them from “further use, access, or dissemination of the data, subject to criminal penalties,” Tesla’s data breach notice says.
Data relating to 2.6 million users of the popular language learning platform Duolingo has been released on a hacking forum.
The data was originally offered for sale on the now-defunct Breached forum for $1,500 in January, but was recently listed again on a new version of the forum for 8 site credits – worth just $2.13.
According to BleepingComputer, the data “includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service”.
The dataset was apparently compiled using an exposed API (or application programming interface) “that has been shared openly since at least March 2023”.
All of the compromised Duolingo data was already in the Have I Been Pwned database, which suggests that the attacker submitted email addresses that had been compromised in other breaches to the dubious Duolingo API to confirm that those email addresses were associated with active Duolingo accounts.
The API “is still openly available to anyone on the web” despite being reported to Duolingo at the time of the first breach in January.
So, if you use – or, indeed, have used – Duolingo, it’s a sensible precaution to check haveibeenpwned.com to see if your data has been compromised, and remain extra vigilant about phishing emails – especially those purporting to come from Duolingo.
Duolingo has not responded to BleepingComputer’s request for comment.
Last March, several members of the Lapsus$ gang, which carried out a series of high-profile cyber attacks in 2021 and 2022, were arrested. Most of them were teenagers.
This week, following a two-month trial, a jury at Southwark Crown Court unanimously ruled the gang’s alleged ringleader, 18-year-old Arion Kurtaj, responsible for twelve offences, including six counts under the Computer Misuse Act, three counts of blackmail and two counts of fraud.
The autistic teenager could not be found guilty of criminal intent because psychiatrists deemed him unfit to stand trial.
The Independent reports that prosecutors alleged that Kurtaj, alongside a 17-year-old who cannot be named for legal reasons, were “key players” in the Lapsus$ gang, which, among other attacks, “hacked the servers and data files of broadband provider BT and mobile operator EE before demanding a four million US dollar ransom on August 1 2021”.
According to Computer Weekly, as well as BT and EE, Lapsus$ attacked “companies such as Microsoft, Nvidia, Okta, Revolut, Rockstar Games, Samsung, Uber and Ubisoft, crimes which they boasted of on a Telegram group which at one point had more than 35,000 members”.
Some of the attacks – including against Rockstar Games, when he leaked game footage from the highly anticipated Grand Theft Auto 6 – were carried out while Kurtaj was on bail in a Travelodge in Bicester, where he was banned from using the Internet.
The BBC reports that “jurors were told that police found an Amazon Fire Stick in his hotel TV allowing him to connect to cloud computing services with a newly purchased smart phone, keyboard and mouse”.
Both Kurtaj and his 17-year-old accomplice will be sentenced at a later date.
That was the news. And that’s it for this time. We’ll be back in a fortnight, but until then you can get in touch with us either by leaving a comment on the blog, or via Twitter @itgovpod (that’s my account) or @itgovernance. Our archive is on SoundCloud, Amazon Music, Spotify and Apple Podcasts, and you can find everything you need to implement and maintain cyber security defence in depth on our website: itgovernance.co.uk.