Coca-Cola trade secret theft underscores importance of insider threat early detection

A research engineer used basic exfiltration techniques to steal trade secrets from Coca-Cola, but wasn't caught until she attempted to steal similar data from another company.

A man casts the shadow of an ominous hooded figure against a circuit-based wall.
Feodora Chiosea / Getty Images

The trial of Xiaorong You is set to begin today, April 6, in Greenville, TN. She is accused of trade secret theft and economic espionage after allegedly stealing bisphenol-A-free (BPA-free) technologies owned by several companies, including her former employers Coca-Cola and Eastman Chemical Company. The value placed on the development of the stolen technologies is $119.6 million. Other affected companies include Azko-Nobel, Dow Chemical, PPG, TSI, Sherwin Williams and ToyoChem.

The details of the case suggest that the damages You is allegedly responsible for could have been minimized if better real-time insider threat detection methods had been in place. They also outline possible motives for the theft of the intellectual property: ego and money.

Timeline for the alleged trade secret theft

You (a.k.a. Shannon You) is a naturalized US citizen with a PhD in Polymer Science and Engineering from Lehigh University. She has worked in US industry since May 1992.

You originally faced a nine-count grand jury indictment in February 2019 within the US District Court in the Eastern District of Tennessee for her actions involved in the theft of trade secrets. In August 2020, a superseding indictment was filed that added charges related to economic espionage.

You worked for Coca-Cola from December 2012 through August 2017 as a principal engineer for global research and then from September 2017 through June 2018 for Eastman Chemical Company as a packaging application development manager. In both roles she was one of a handful of employees with access to trade secrets and inter-company trade secret exchanges. When she departed Coca-Cola, You signed a statement that attested she did not retain trade secret information owned by Coca-Cola and in exchange received a check for $39,912—which appears to have been her last paycheck from the company.

In the summer of 2017, You applied for China’s Thousand Talent program. As the application proceeded, her co-conspirator Xiangchen Liu, a Chinese national, informed her that she had to submit false information to the PRC government to increase the chances of You being given the award. The Chinese government has used this program to bring advanced technologies into China from abroad. The Department of Justice has successfully prosecuted cases with this program at the nexus of the prosecution.

How You allegedly stole BPA-free trade secrets

You is alleged to have stolen trade secrets from her two employers and availed these to a Chinese company that her co-conspirator managed. The theft was carried out in a straightforward manner: She uploaded information to Google Drive; for the more sensitive documents she used her smartphone’s camera to take screenshots of the documents, avoiding detection from the infosec team.

At Eastman Chemical Company on June 11, 2018, You photographed secure and restricted laboratories. Then ten days later, knowing she was about to be discharged, she uploaded company documents and those of the other companies doing BPA-free research directly to her an external drive. When confronted during a company investigative interview, she claimed that she was not retaining any of the company’s intellectual property.

The formulation of a company in China in which You had part ownership was the avenue by which the trade secrets would be monetized and exploited. The court documents show You and Liu intended to form a joint venture with an established Italian BPA-free manufacturer to integrate the stolen technologies, ostensibly belonging to the “new Chinese company.”

Insider threat takeaway: Early detection is critical

The time between You’s departure from Coca-Cola (August 2017) and her indictment (February 2019) indicates that the upload of the trove of documents from the Coca-Cola infrastructure to You’s Google Drive account was not detected by the information security team in real time and was discovered after the fact. The actions taken at Eastman Chemical are indicative of a real-time detection of an anomaly that resulted in an immediate investigation resulting in You’s firing. She copied internal information to an external drive.

Two actions could have stopped the theft or lessened its impact:

  • Real-time alerts and processes designed to prevent sensitive and protected data from exiting the corporate environment.
  • Prohibiting personal and non-authorized electronic devices, including smartphones, from proximity to trade secrets or sensitive installations. Using the smartphone’s camera to copy documents and workspace is a throwback technique of espionage days of old, when miniature and subminiature cameras would be used to copy documents from within restricted spaces.

You’s apparent motivation to break trust can be found in both greed and ego. Her ego was satiated by recognition in the form of the Thousand Talent award and other Chinese financial awards. Her financial greed was addressed with part ownership in a “new company” in China that would attempt to exploit and monetize the technologies she had stolen.  

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline