Part I: When Insiders and Competitors Target Businesses

Lightwave Microsystems, America Online (AOL), Casiano Communications Inc., Corning Inc., Avery Dennison, Toshiba and Lexar Media, & Citroen and SigmaTel

Lightwave Microsystems

In late 2002, Lightwave Microsystems, a privately held company in California, announced it would cease operations because of financial difficulties. But Lightwave's inability to turn a profit didn't mean it was without value. It held patents and had developed saleable trade secrets. It was subsequently bought by NeoPhotonics (San Jose, Calif.), but not before some ugliness.

Brent Woodward held a trusted position at Lightwave. He was its director of information technology. He copied the company's trade secrets, which had been stored on backup tapes, and then attempted to sell them to a competitor.

No one detected Woodward's unauthorized activity. As the company's IT director, he had natural and unencumbered access to the information and, indeed, it was his responsibility to protect it.

Using an alias ("Joe Data") and a Web-based e-mail account (, Woodward contacted the chief technology officer for JDS-Uniphase (JDS), and offered to sell Lightwave's data. But JDS immediately contacted the U.S. Federal Bureau of Investigation (FBI), agreed to cooperate in the investigation and allowed the FBI to monitor its communications with "Joe Data."

The FBI trace determined that the "Joe Data" messages were originating from an Internet connection within Woodward's residence. After executing a search warrant, the FBI charged and arrested Woodward on one count of theft of trade secrets.

In August 2005, the U.S. attorney's office for the Northern District of California announced that Brent Woodward pleaded guilty to the charge and was scheduled to be sentenced in December 2005. Woodward faced the possibility of 10 years imprisonment and a fine of $250,000.

Of course, Woodward was an amateur and was acting by himself, for himself, and thus had no interests other than his own. His methodology was very sophomoric. But even a bumbling amateur can deliver a devastating blow.

Consider what would have happened had Woodward offered the purloined data to a less ethical competitor. Would the value of Lightwave have been jeopardized and its sale to NeoPhotonics canceled if the unethical competitor got to market fast enough? Certainly. And, if the trade secret theft was revealed only after NeoPhotonics purchased Lightwave, what recourse would NeoPhotonics have had available to it? Little more than a lengthy litigation to protect intellectual property it wasn't aware had been stolen prior to the purchase.

America Online (AOL)

In April and May 2003, an AOL software engineer named Jason Smathers used a colleague's access codes to acquire information on 30 million AOL customers. The stolen data, which consisted of 92 million separate records, included e-mail addresses, screen names, ZIP codes, customer credit card types and telephone numbers associated with AOL customer accounts.

Smathers sold the stolen AOL e-mail addresses to Sean Dunaway for US$27,000. Dunaway, a resident of Las Vegas, Nev., utilized the addresses to advertise his own online gambling website, and then resold the AOL data to "spammers" for approximately $52,000.

Smathers' use of a colleague's administrative log-in proved to be an effective way to bypass AOL's internal security controls. (His colleague had the natural access; Smathers didn't.) AOL knew that it had a problem and was cooperating with law enforcement, but Smathers remained an AOL employee, and unidentified as the culprit, until mid-2004.

The U.S. Department of Justice (DoJ) prosecuted this case under the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act.

In February 2005, Smathers pleaded guilty. In October 2005, he was sentenced to 15 months in prison and fined $84,000, triple what he garnered through the sale of the data. (Smathers clearly knew the data was worth something, but he grossly underestimated the street value of the information.)

Though DoJ recommended that Smathers be barred from the software profession, the judge noted Smathers' cooperation in the investigation and believed that the cooperation and Smathers' contrite behavior warranted leniency. Smathers told the court that AOL had said his theft and subsequent sale had cost the company at least $400,000. (Potentially, it cost it millions of dollars.)

But the real damage may still be looming out there in the dark alleys of cyberspace. What costly mischief could e-mail fraudsters ("phishers") or unscrupulous telemarketers carry out with the collation of those e-mail addresses, user names and user telephone numbers? Such personal information is priceless in the underworld industry of identity theft.

There is also the risk to one's reputation in such incidents. AOL is advertised as a "family-friendly" environment, one where the customer doesn't have to be a technological marvel to enjoy the wholesome pleasures of the Internet and not be exposed to its seedier side. AOL admitted that the Smathers caper cost the company at least $400,000; the downside may be much greater as it creates software to mitigate the loss of customer data, while simultaneously working to regain the trust of its customer base.

Casiano Communications Inc.

In mid-October 2005, Casiano Communications Inc. (CCI), the prominent publisher of Caribbean business and travel literature magazines, filed suit against John Bynum, a former employee. CCI alleges that Bynum stole its intellectual property, specifically databases, which Bynum forwarded to his personal e-mail account from CCI's computers. According to CCI, he stole client and advertiser information, which violates the company's electronic mail and company resources and equipment policy.

CCI alleged that Bynum had been selling a database of key business contacts in Puerto Rico, to assist companies in marketing their products and services.

The Superior Court of San Juan, Puerto Rico, issued a temporary restraining order against Bynum. It required him to cease and desist from utilizing, transmitting, selling or reproducing any form of database, or other trade secrets obtained during the course of his employment with CCI. The injunction granted CCI the right to seize all of its materials contained in any computers, disks or other information-technology items in the personal possession of the defendant.

Corning Inc.

Jonathan Sanders was an employee of Corning Inc. who worked at the Harrodsburg, Ky., plant. On Oct. 20, 2005, DoJ charged him with the theft of trade secret material belonging to Corning, specifically material pertaining to an overflow downdraw fusion glass-making process used to produce thin filter transistor liquid crystal display (LCD) flat panel glass.

It is alleged that Sanders began his theft of Corning's intellectual property in December 1999, and that it continued through December 2001. It is also alleged that Sanders subsequently sold the material to PicVue Electronics, a Taiwanese corporation.

In his statement to the FBI, Sanders indicated that he found blueprints containing the Corning trade secrets within a Corning warehouse in 1999. The blueprints were in a container of material awaiting destruction. Sanders took the blueprints home instead of destroying them. He traveled to California and met with Jacob Lin, PicVue's president, and Yeong C. Lin, a consultant working with PicVue. According to Sanders, he did not actually show them the drawings; he only described the fusion draw process. Subsequently, PicVue allegedly offered him a job, which he declined.

Many months later, in September 2000, PicVue wired US$30,000 to a California bank account. Lin, the consultant, took control of the funds and enlisted a college roommate, Danny Price, to deliver $25,000 of it to Sanders, so as to obfuscate the connection between PicVue and Sanders. In exchange for the money, Sanders gave Price the stolen Corning blueprints.

PicVue's engineers took digital pictures of the blueprint documents and transferred the images to a digital storage device. The engineers hand-carried the device back to Taiwan. The blueprints were then allegedly destroyed.

In November 2000, engineers from PicVue traveled to Kentucky and met with Sanders to discuss the blueprints he had sold to PicVue.

In September 2001, PicVue representatives traveled to Saint-Gobain Ceramics, a company in Niagara Falls, N.Y., to purchase a part for the fusion process. Because of their prior commercial relationship with Corning, Saint-Gobain personnel recognized the utility of the part as being applicable only to the fusion draw process, and alerted Corning to the possibility that its trade secrets had been compromised. Corning representatives visited Saint-Gobain's offices, reviewed the specifications provided by PicVue, and concluded that Corning trade secrets were involved.

Corning contacted the FBI, and an investigation commenced in October 2001, which led to Sanders' arrest and indictment in late 2005. The prosecuting attorney noted that the intellectual property carried a value of $100 million. Sanders pleaded guilty to the charges and was to be sentenced on April 18, 2006. Corning and PicVue were able to arrive at a settlement, with PicVue allegedly having paid Corning $15 million in damages. In April 2006, Sanders was sentenced to four years imprisonment and fined $20,000.

Corning apparently had a set of procedures in place to destroy company confidential documents, but it appears that it had no mechanism to ensure that documents put into the "to be destroyed" bin were, in fact, subsequently destroyed.

This case offers another example of a company being ignorant of the theft of its intellectual property until the recipient of the stolen secrets approached one of the few organizations in the world able to create the parts necessary to make the purloined documents effective in the marketplace. It was the strength of the relationship between Corning and Saint-Gobain that brought the illegal activity to light-certainly not any of Corning's internal procedures.

Avery Dennison

Avery Dennison, headquartered in Pasadena, Calif., is one of the country's largest manufacturers of adhesive labels. It spends a great deal of money on research and development of adhesives, and retains the formulas as its intellectual property. The company's adhesives and methodologies provide it with a significant advantage in the global adhesive label market.

Four Pillars Enterprise, a Taiwanese competitor with market share both in the United States and the Far East, targeted Avery Dennison's Concord, Ohio, research facility, and stole Avery Dennison's intellectual property from 1989 through 1997.

The theft is a classic example of a competitor's methodical harvesting of technological advances and research. Avery Dennison was unaware of the economic espionage until a former Four Pillars employee applying for work with Avery Dennison revealed that an Avery Dennison employee had been supplying Four Pillars with adhesive formulas for the preceding eight years.

The FBI, together with Avery Dennison, contrived a successful sting operation to identify the employee who was working for Four Pillars. The culprit was Ten Hong Lee (a.k.a. "Victor Lee"), a U.S. citizen and a senior research engineer within Avery Dennison's Concord, Ohio, research facility.

Lee, who received his undergraduate degree at the National University of Taipei, his master's degree in polymer science from Akron University and his PhD in chemical engineering from Texas Tech, had been invited to visit Taiwan by the Industrial Technology Research Institute to give a lecture. While there, he was invited to present a technical lecture to Four Pillars.

Lee was enticed to enter into a covert relationship with Pin Yen Yang, Four Pillars' president and CEO, as a "secret consultant," for which he was paid US$25,000 his first year. Lee, Yang and Yang's daughter, Hwei Chen Yang, (a.k.a. "Sally Yang"), conspired to obtain Avery Dennison's intellectual property and business methodologies. In exchange, Lee would be paid substantial sums of money.

Four Pillars had targeted an individual with whom the Yangs could relate on an ethnic basis, leveraging Lee's desire to help a fellow countryman and pandering to his ego by providing him "recognition" for his intellect. Of course, it also paid him US$150,000 over the years, and deposited the funds with Lee's relatives in Taiwan to keep his skullduggery out of view of tax authorities, lenders or others who might have questioned the supplemental income.

When confronted, Lee admitted his guilt and was persuaded to act as a cooperative witness for the DoJ, which wanted to prosecute this theft of the intellectual property of a U.S. corporation by a foreign national under the powers of the Economic Espionage Act of 1996.

In September 1997, Lee met with the Yangs at a Holiday Inn in Westlake, Ohio, and provided them with more of Avery Dennison's intellectual property. The room was under FBI surveillance. Following the meeting, the Yangs were observed using a knife to cut the headers and footers off the documents provided by Lee.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)