When employee access exceeds trust, IP goes missing

Companies may be tempting fate by giving interns deep access to company data, as these two examples of intellectual property theft show.

programmers student coders hackathon
Randymcking (CC BY-SA 3.0)

Protecting the intellectual property (IP) of your company is every employee’s responsibility, says every CSO to both new hires and those long in the tooth.

That said, perhaps there are instances where my mother’s adage of “don’t tempt fate” applies. Access controls may exist, but are access controls used or enforced?

That is the quandary many employers face when bringing on interns. They want the internships to be productive and meaningful for both the intern and the company. But in doing so, should they entrust interns with access to the company's crown jewels?

Here are two examples in which interns took advantage of access to companies' IP.

Apple iPhone source code went to GitHub

In early February 2018, Apple’s IP protection team went into an all-hands-on-deck mode when iOS source code was posted online to GitHub. The iBoot source code apparently would allow those who understood it to more easily manipulate the iOS to make iPhone jailbreaks easier and potentially discover vulnerabilities more easily. Apple's lawyers wasted no time in requesting GitHub take down the code, and GitHub complied.

How did the iBoot source code find its way to Github? An intern shared the code with five friends who were active in iPhone jailbreak groups. Interestingly, the original sharing of the code and other Apple internal tools occurred in 2017. It was only when the iBoot source code was “reposted” to GitHub that Apple took action, as their confidential information was now available in the wild. 

While Apple may know the identity of this former engineering intern, it has not yet been made public. 

Valeo’s source code went to China

Stepping back in history a bit, we recall the case of a Chinese university student, Li Lil Huang, who was arrested by the French for unauthorized access to trade secrets of automotive parts manufacturer Valeo. Huang was charged with economic espionage for sharing those trade secrets with China.

Haung was an intern at Valeo. Post-arrest, the police searched her apartment and found six computers and two external drives that contained Valeo’s confidential IP.

Haung began her internship at Valeo in February 2005 and found herself arrested by April 2005. Haung, reported to be a brilliant woman of exceptional competence, is multi-lingual and has multiple degrees in mathematics, applied physics and fluid mechanics.

The information she was alleged to have purloined pertained to new models of vehicles from BMW and Renault for which Valeo was privy. As a major parts manufacturer, Valeo has confidentiality agreements with manufacturers on vehicles not yet in production. And while losing their customer's data was painful, the sting went deep, as they learned Huang had also taken Valeo’s own confidential production plans for China.

Ultimately, the French courts found Huang guilty of IP theft in 2007.

Interestingly, in the midst of the Huang incident, the European Strategic Intelligence and Security Centre reported an educational institution in Belgium — "The Chinese Students and Scholars Association of Leuven" (CSSAL) — was the epicenter of an “economic spy network,” according to SpaceDaily.

Where are your trade secrets or source code going to go?

Granted, the vast majority of interns and other employees are honest, and the likelihood of their breaking trust is low. Low they may be, but they are above zero.

In looking at both Apple’s and Valeo’s instances where an intern broke trust, the pain may have been self-inflicted pain — the type that stings the most. Both apparently granted to their interns far greater levels of trust than they deserved.

Which drives home the point to all who hire and assign work to new members of the team: Be cautious. Vet those employees before you open up access to the crown jewels.  

Security Smart: 4 Common Password Myths ... Debunked!