The majority of cybersecurity efforts are focused on preventing outside bad actors from hacking into systems or installing destructive malware – and rightfully so. But there is also a sizable risk from disgruntled employees walking away with intellectual property, or an “inside job.” Chemical giant DuPont learned that lesson the hard way in 2005, when research chemist Yonggang “Gary” Min stole $400 million in trade secrets on his way out the door.
The Commission on the Theft of American Intellectual Property estimates that annual costs from intellectual property losses range from between $225 billion to $600 billion. Though much of this comes from professional hackers or nation-state actors like China, internal theft is a sizable threat and can be even harder to detect and neutralize.
Min had worked at DuPont for more than a decade when he took a job with UK-based competitor Victrex. But before informing DuPont of his decision to leave, he surreptitiously put thousands of pages of confidential design documents on a personal laptop.
Between August and December 2005, Min downloaded approximately 22,000 abstracts and viewed around 16,700 full-size PDF documents from DuPont’s Electronic Data Library (EDL) server, located at the company’s Wilmington, Delaware, facility. DuPont didn’t notice the threat until Min announced his plans to leave the company and an internal probe uncovered his unusually high EDL usage. During that stretch, he had accessed more than 15 times as many documents as the second most active user on the EDL.
When DuPont learned of Min’s illicit activity, they contacted the Department of Commerce and the FBI, who raided his home and recovered the stolen goods. It turns out the majority of the information Min took did not relate to his own work at the company; instead, it involved DuPont’s primary technologies and product lines, including many that were still in the research and development phase, which explains the elevated price tag.
The raid of Min’s home uncovered garbage bags filled with shredded DuPont documents as well as the remnants of documents that had been burned in the fireplace. He took so many physical pages from the company, he had rented an outside storage unit in an apartment complex to hold all the boxes.
Min received a comparatively light sentence for his crime – 18 months in jail and a $30,000 fine – considering the massive trove of confidential information he stole. He was also required to pay $14,500 in restitution to DuPont. But he faced a maximum sentence of 10 years and a $250,000 fine.
“It was, and is, the biggest mistake I ever made in my lifetime,” he said at the time of his sentencing, according to an Associated Press report. “Please give me the chance, your honor, to have the opportunity to show you my success and make you proud of the new man I have become.”
Min’s lenient sentence ultimately came down to what he did with the stolen documents, which turned out to be very little. Though he told arresting officers he planned to take the information with him to Victrex, prosecutors could not prove he had shared any of the data.
Shortly after Min started work at Victrex, he did upload 180 DuPont documents to his company-issued laptop, but FBI officials contacted Victrex the following day to inform them of the situation. Victrex promptly handed the laptop over to the FBI and cooperated with the investigation throughout.
“There’s no scheme here, there’s no money here, there’s no greed factor here,” said defense attorney Michael Mustokoff during the trial, suggesting Min took the documents for his own edification. “He is a man of intense curiosity. He is a scientist through and through.
“Dr. Min’s judgment was certainly clouded. … But there is no evidence that he set out on a path to hurt the company.”
Throwback Attack: Lessons from the Aurora vulnerability
Throwback Attack: WannaCry ransomware takes Renault-Nissan plants offline
Throwback Attack: The NotPetya malware causes serious damage to snack giant Mondelez