Arrest of Scientist a Stark Reminder for Businesses of Insider Threat

Case another example of economic aggression by China according to U.S. officials

As cybersecurity experts, Dox Electronics is constantly warning clients to remain vigilant when it comes to protecting their proprietary data. This is true even for trusted employees. Insider threats are very real as exemplified by the recent arrest and conviction of a Chinese scientist who reportedly stole intellectual property from his U.S. employer worth an estimated $1 billion.

A Cautionary Tale

Hongjin Tan, a 36-year-old scientist, was working with an unnamed U.S. petroleum company based in Oklahoma. Along with other researchers, Tan was working on the development of next-generation technologies for flow batteries and energy storage.

On Dec. 11, 2018, Tan downloaded hundreds of proprietary files related to his work and that of others from his employer onto a storage device. He then resigned from his post but returned the next day with a storage device, claiming he forgot to turn it in before he left. The company then examined the returned flash drive only to discover there was unallocated space on the device along with indications that documents had been stored on it before they were deleted.

Tan’s former employer contacted the Federal Bureau of Investigation and a warrant was issued to search the scientist’s home. After a search of Tan’s external hard drive, it was discovered that he had pilfered trade secrets from his former employer.

According to a piece by ZDNet regarding the arrest, prosecutors said, “Further accessing the material would have been financially advantageous for Tan but caused significant financial damage to his Oklahoma employer.”

Tan was arrested in November 2019 and worked out a plea agreement with prosecutors in which he admitted to intentionally copy and downloading research without permission from the company where he had worked. Prosecutors believe the final destination for the stolen information was China.

This incident, according to Assistant Attorney General for National Security John Demers, is just “another instance of China’s persistent attempts to steal American intellectual property.”

U.S. Attorney Trent Shores from the Northern District of Oklahoma added, “Unscrupulous individuals like Hongjin Tan seek to steal American trade secrets to take home to China so they can replicate our technology. United States Attorney’s from coast to coast stand ready to combat China’s economic aggression that criminally threatens American Industry.”

Tan has been sentenced to two years in prison followed by three years of supervised release, according to the U.S. Department of Justice. He has also been ordered to pay $150,000 in restitution to his former employer as well.

Insider Threats

This incident serves as a reminder to businesses to keep an eye on their employees. According to the 2019 Data Breach Investigations Report by Verizon, 34 percent of breaches involved internal actors. That means more than a third of breaches are the result of employees or former employees. In addition, the report shows 71 percent of breaches were financially motivated as it seems Tan was.

The danger of internal threat is real. The crime triangle identifies three factors to creating a criminal offense. First is the desire or motivation to commit a crime. Next is identifying the target of a crime. Finally, there must be an opportunity for a person to commit a crime.

Of course, in Tan’s case, he was financially motivated and his U.S. employer was an easy target since he has inside access. Finally, he has the means to access the information, save it, and remove it from the company. Though money is a huge motivator, malicious insider threats can also be inspired by revenge and politics as well.

What to Watch For

According to the Grand Theft Data report by McAfee, 22 percent of data theft investigated for the report was committed intentionally by internal actors. Additionally, another 21 percent of data loss included in the report was unintentionally caused by internal actors. This demonstrates that while all internal data loss isn’t malicious, it’s still dangerous for businesses. Here are a few things to watch for to prevent internal threats.

One Foot Out the Door

If someone is leaving your organization as Tan was doing when he stole valuable data, be sure to ask where that employee is going. Also ensure that as soon as they give their notice, that their access to all IT resources and hard copy data is stopped. This includes business partners who may cut ties that have been given previous access.

The Disgruntled

Disgruntled workers are another thing to watch for as good employees can turn bad if they feel wronged. According to the aforementioned McAfee report, disgruntled employees are the second greatest threat to data loss. Whether an employee is passed over for a promotion they feel they deserve or believe they aren’t being paid what they are worth, if someone is unhappy enough, they may take out their unhappiness on the company. Watch for employees who are doing the bare minimum, withdraw from colleagues in the workplace or those who express anger or unhappiness with the company. While an unhappy employee may not seek revenge, they may just become complacent and sloppy leading them to become an unintentional insider threat.

Poaching More than Employees

Also, keep an eye on employees that are “poached” by your competitors. Oftentimes these employees that are lured away by direct competitors may ask them to bring along some of your company’s proprietary information. An employee being wooed by your competitor may feel pressured to take along information that could boost their standing in their new workplace. As mentioned earlier, as soon as they announce they are leaving, cut their access to both digital and hard data. Business leaders may also employ technology that alerts them to strange or unusual activity by employees such as Logging and Security Information and Event Management (SIEM) platforms. Such technology can help spot account misuse and the exfiltration of data.

Accidental Threats

We’ve said it before and we will say it again: Your employees can be your greatest defense or your greatest weakness. Accidental internal threats make up a huge portion of insider threats. Many small and medium businesses (SMBs) are targeted by cybercriminals for phishing campaigns and malware as a means of stealing information. Such accidents occur when an employee clicks on a malicious link in an email or attachment.

To avoid accidental insider threats, businesses must educate their employees regularly on cybersecurity best practices. Every employee should undergo training during the onboarding process. Additionally, it’s highly recommended to provide every employee with regular cybersecurity training on a quarterly basis. At a minimum, ongoing cybersecurity training should occur on an annual basis so your employees know what they are up against and how to protect themselves and the company.

If you’d like more information on insider threats, how to spot them, and how to prevent them, contact Dox Electronics at (585) 473-7766. Our cybersecurity experts are here to help secure your business and its most valuable data.