Insider threat — Chemours employee steals trade secrets

Insider threat is the recurring theme in government and industry, and for good reason: The threat becomes reality far too often.

Case in point: Chemours (a Dupont spin-off) has been victimized, yet again. This time the Chemours off-boarding and digital forensic capabilities may have been instrumental in determining that a long-time trusted employee was not to be trusted.

A review of the grand jury indictment detailing the crime says that the employee, Jerry Jindong Xu, a naturalized Canadian citizen originally from China, had over the course of several years, stolen the intellectual property and trade secrets of his employer, Chemours. Xu had worked for Dupont China from 2004-2011 and transferred to the U.S. in 2011.

Xu worked for Dupont–Chemours in the U.S. from 2011 through June 2016, when he was terminated by Chemours. Shortly after his departure from Chemours, Xu was contacted by Chemours and asked to return the intellectual property he is believed to have downloaded or emailed to himself in the week immediately before his final day of work. He claimed to have no such information, and proffered to Chemours two external hard drives for their inspection. He was lying.

Xu was arrested in August 2017 and has been held without bail. The grand jury indictment of Xu for the theft of Chemours trade secrets was unsealed Sept. 5, 2017. On Nov. 20, 2017, Xu and his family pleaded with the court to allow him to be released from detention, pending trial. The U.S. district judge will hold a hearing on Dec. 1, 2017.

What did Xu steal from Chemours, and how did he do it?

The indictment says Xu targeted Chemours methodology to process sodium cyanide. Sodium cyanide is a chemical used in the mining of gold, silver and other precious metals. Xu allegedly stole the plans for a new Chemours sodium cyanide plant, valued at approximately $150 million. He also allegedly stole boat loads of collateral material used in pricing and marketing sodium cyanide.

Xu and his unidentified co-conspirator, also a former Dupont employee (terminated service in 2014), allegedly conspired to steal trade secrets and monetize these secrets with Chinese investors. The specifics, provided by the U.S. Department of Justice, include the following activities, all of which were conducted while Xu was employed by Chemours.

Misled colleagues and fabricated assignments in order to accumulate vast amounts of pricing and other information, including obtaining passwords for spreadsheets.

Contacted potential Chinese investors to solicit funding for building a sodium cyanide plant. They would communicate in English and Chinese, sometimes over an encrypted Chinese messaging service.

Explained to one Chinese investor that he wanted to do this project “for himself and not to slave away at this only to benefit someone else”

During a 2016 trip to China, accessed Chemours documents and told his co-conspirator he had “out-of-the-big (sic) ideas cooking” that he was anxious to discuss. He also asked how much their plant project would be worth. “Would you say in the millions?”

Created a company, made his wife the director, and executed a non-disclosure agreement with his co-conspirator.

Asked for and received a tour of Chemours’ sodium cyanide plant, during which he secretly took pictures of plant system diagrams and sent them to himself.

In the week after he was notified of his termination, he copied and/or sent himself many Chemours confidential documents and then falsely certified that he had returned all Chemours files.

Chemours’ exemplary off-boarding process

Far too often companies invest only in the on-boarding of employees and pay short shrift to the off-boarding of employees. In Chemours’ case, their inclusion of an attestation from Xu that he had returned all intellectual property of Chemours was exemplary.

The indictment shows us that Xu signed an attestation that said he had returned “all drawings, blueprints, manuals, letters, notes, notebooks, reports, and all other material of a secret or confidential nature relating to Chemours business which were in his possession or under his control.”

Three days after his departure, Chemours sent Xu a demand letter in which he was asked to “return all business confidential and trade secret information, including the electronic files that he transferred to himself during the time period 13-20 June 2016.”

Chemours’ digital forensics tell the tale

The reason for the termination of Chemours may have been related to the theft of intellectual property, which may have come to their attention earlier in 2016, given the multi-year effort Xu engaged in stealing his employer’s trade secrets.

Chemours told Xu he was being terminated on June 13, 2017. They also asked that he transfer his workload to another employee during the following week.

During that time, the Chemours InfoSec team appears to have monitored Xu’s activity on the corporate network, as he was detected sending Chemours confidential documents to his personal email account on June 13, 2017. On this date, he also copied trade secrets onto several removable drives. On June 17, 2017, he again sent proprietary and confidential documents related to cyanide pricing to his personal email account. This was followed on June 19, 2017, when he again emailed multiple Chemours confidential documents to his personal email, including one document titled: “New Supply Chain Design RFP.”

Whether the above was captured by design or during a post-employment forensic review of Xu’s laptop is not revealed in the court documents. Whichever methodology Chemours used provided sufficient information to bring in law enforcement, especially after he had declined the opportunity on June 29, 2017, to return the purloined information, denying he had stolen anything.

Invest in off-boarding

Companies of all sizes should onboard the teaching point: invest in your off-boarding process. Have the employee attest to the return of all trade secrets and proprietary information. And remind them of the terms of the non-disclosure agreement, if one exists.