A recent Reddit thread has exposed a significant privacy issue with the Tesla App. On 1st March 2020, Reddit user theplexgame created a post on r/teslamotors stating that “After returning your lease or selling your Tesla your personal info may be available to the next buyer via the app.” According to the Reddit user, they explained that they had access to the previous owner’s name, address, account number, and bill history via the Finance section of the app. We are in contact with Tesla and are currently awaiting a statement on the issue.
The user claimed that this significant error was later fixed; however, the post received comments from many other Tesla customers complaining of suffering from similar issues, which raises a lot of privacy concerns for Tesla.
Privacy flaws in Tesla App exposed
The Reddit post by u/theplexgame highlights a massive privacy error in the Tesla App. As the user stated in their post, a quick Google Search enabled them to find the previous owner’s personal Instagram account.
By allowing new owners to view sensitive information of previous owners, such as payment history, Tesla is inadvertently putting its customers at risk. Like the information exposed in the Tesla App, sensitive data is eagerly sought after by cybercriminals and can lead to fraud and cases of identity theft.
While many other users on the Reddit thread were quick to simply call this issue a ‘bug,’ many other users claimed they too had experienced the same thing. Some users said they could see the driver’s licenses and registration information of previous owners. Others alleged that they sold their Tesla motors but still had access to the car via their account for months, enabling them to see the vehicle’s movements.
A bug or company oversight?
Tesla is at the forefront of the electric vehicle industry, but that doesn’t mean its vehicles don’t experience their fair share of issues. The fact that users could access a ton of financial data of previous owners in their Tesla Apps could be an oversight on behalf of the company. However, this isn’t the first time Tesla has come under fire for problems with its Tesla vehicles.
In January 2022, vulnerabilities were found in Tesla’s software, with security researcher David Colombo able to access dozens of Tesla vehicles remotely. Similarly, many Tesla vehicles were recalled in November 2021 due to a software bug with the vehicle’s auto-braking feature, which created a safety risk.
It could be that the Tesla App’s software is inadvertently allowing users to view sensitive financial data on the finance tab due to a bug. However, it is more likely that this is a slip-up by the Tesla team; indeed, the user who raised this issue on Reddit claimed that it was quickly resolved, which indicates that it was a company blunder, albeit a rather large one.
Customers discussed other experiences with Tesla and their data
The Reddit post garnered many responses, leading to an exchange of views between users, many of which raised interesting points. There was discussion amongst users as to whether it was the responsibility of Tesla or users to ensure that their vehicle data was wiped entirely before selling or leasing a car.
Many users said that unless owners did a factory reset before selling cars or ending leases, they couldn’t expect Tesla to remove their data from the vehicle; this also includes financial history. However, others argued that given the amount of data that Tesla collects so users can enjoy all the premium connectivity features, Tesla has a responsibility to protect its customers’ data and privacy.
On the official Tesla website, the company states that any customer selling or trading in a vehicle is required to “clear their data and restore it to factory settings.” Without doing so, users may find that data remains connected to their cars and accessible to new owners.
However, it doesn’t seem like a factory reset always removes data. One Reddit user claimed in a comment under the post that they traded in their Tesla after removing all data, and the new owner was still able to use their Spotify account.
Is it really a cause for concern?
Along with discussion over whose responsibility it is to ensure that no identifiable data remains linked to vehicles after customers give up ownership, many other users failed to see any issue with the Tesla app revealing financial data of previous owners. Indeed, some users stated that it was customary to know the previous owner’s name and the basic financial history when buying a second-hand car.
While it is normal to know some information about the car’s history, such as collision and loan records, the issue with the Tesla App is different. Users had access to highly personal information, including account numbers and email addresses. Plus, the new owners could see billing schedules and payments that were previously made, which reveals a lot about the financial situation of the previous owner. This is massive oversight regarding data privacy laws and breaks GDPR in the EU and similar US privacy protection laws.
While Tesla tells customers that they need to wipe their data from the vehicle before re-leasing or selling it, it ultimately is the responsibility of the car manufacturer. Tesla needs to create a seamless process to entirely disconnect the previous owner from the vehicle and ensure that each individual’s data and privacy is protected.