Companies may be tempting fate by giving interns deep access to company data, as these two examples of intellectual property theft show. Credit: Randymcking Protecting the intellectual property (IP) of your company is every employee’s responsibility, says every CSO to both new hires and those long in the tooth.That said, perhaps there are instances where my mother’s adage of “don’t tempt fate” applies. Access controls may exist, but are access controls used or enforced?That is the quandary many employers face when bringing on interns. They want the internships to be productive and meaningful for both the intern and the company. But in doing so, should they entrust interns with access to the company’s crown jewels?Here are two examples in which interns took advantage of access to companies’ IP. Apple iPhone source code went to GitHubIn early February 2018, Apple’s IP protection team went into an all-hands-on-deck mode when iOS source code was posted online to GitHub. The iBoot source code apparently would allow those who understood it to more easily manipulate the iOS to make iPhone jailbreaks easier and potentially discover vulnerabilities more easily. Apple’s lawyers wasted no time in requesting GitHub take down the code, and GitHub complied.How did the iBoot source code find its way to Github? An intern shared the code with five friends who were active in iPhone jailbreak groups. Interestingly, the original sharing of the code and other Apple internal tools occurred in 2017. It was only when the iBoot source code was “reposted” to GitHub that Apple took action, as their confidential information was now available in the wild. While Apple may know the identity of this former engineering intern, it has not yet been made public. Valeo’s source code went to ChinaStepping back in history a bit, we recall the case of a Chinese university student, Li Lil Huang, who was arrested by the French for unauthorized access to trade secrets of automotive parts manufacturer Valeo. Huang was charged with economic espionage for sharing those trade secrets with China.Haung was an intern at Valeo. Post-arrest, the police searched her apartment and found six computers and two external drives that contained Valeo’s confidential IP.Haung began her internship at Valeo in February 2005 and found herself arrested by April 2005. Haung, reported to be a brilliant woman of exceptional competence, is multi-lingual and has multiple degrees in mathematics, applied physics and fluid mechanics.The information she was alleged to have purloined pertained to new models of vehicles from BMW and Renault for which Valeo was privy. As a major parts manufacturer, Valeo has confidentiality agreements with manufacturers on vehicles not yet in production. And while losing their customer’s data was painful, the sting went deep, as they learned Huang had also taken Valeo’s own confidential production plans for China.Ultimately, the French courts found Huang guilty of IP theft in 2007. Interestingly, in the midst of the Huang incident, the European Strategic Intelligence and Security Centre reported an educational institution in Belgium — “The Chinese Students and Scholars Association of Leuven” (CSSAL) — was the epicenter of an “economic spy network,” according to SpaceDaily.Where are your trade secrets or source code going to go?Granted, the vast majority of interns and other employees are honest, and the likelihood of their breaking trust is low. Low they may be, but they are above zero.In looking at both Apple’s and Valeo’s instances where an intern broke trust, the pain may have been self-inflicted pain — the type that stings the most. Both apparently granted to their interns far greater levels of trust than they deserved.Which drives home the point to all who hire and assign work to new members of the team: Be cautious. Vet those employees before you open up access to the crown jewels. Related content news analysis China’s MSS using LinkedIn against the U.S. The head of the U.S. National Counterintelligence and Security Center says China's MSS is using social networks, specifically LinkedIn, to target, access, and recruit U.S. sources. By Christopher Burgess Aug 31, 2018 4 mins Social Engineering Cybercrime Security news analysis Tesla insider with expired NDA spills the tech beans A former Tesla engineer with an expired non-disclosure agreement (NDA) shared inside technical information on an obscure forum, which was quickly shared across multiple social media platforms. By Christopher Burgess Aug 30, 2018 3 mins Risk Management Security news analysis Horizon Air tragedy highlights airline insider threat vulnerability The ease at which a Horizon Air employee was able to steal and crash a Bombardier Q400 turboprop will likely prompt airlines to develop an insider threat mitigation strategy to close this vulnerability. By Christopher Burgess Aug 13, 2018 4 mins Security news analysis How did the TimeHop data breach happen? Compromise of an employee's credentials, lack of multi-factor authentication, and weak insider threat analysis all played a factor in the recent TimeHop data breach in which 21 million user accounts were compromised. By Christopher Burgess Aug 10, 2018 4 mins DLP Software Analytics Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe