Xiaolang Zhang harvests 40 gigs of data about the Apple Car and takes a server and circuit boards prior to announcing his intent to join XMotors in China. Credit: Seamus Bellamy / IDG The security checkpoint at Mineta San Jose International Airport in San Jose, California, was a bit more exciting than normal when Xiaolang Zhang passed through the TSA checkpoint on July 7. The FBI arrested Zhang at the Terminal B checkpoint for stealing information about Apple’s autonomous or self-driving car. Zhang, clearly not the brightest light in the chandelier, shared with his supervisor his intent to depart Apple and take a position at a Chinese startup XMotors (aka Xiaopeng Motors). Following his declaration of intent to move on to a competitor, he was immediately walked out the door; that was on April 30, 2018. Prior to that meeting, though, Zhang had downloaded the plans to a sophisticated circuit board being developed by Apple. Who is XMotors?XMotors is the wholly owned U.S. subsidiary of Xiaopeng Motors located in Guangzhou, with the XMotor’s office located in Palo Alto, California. They are a well-funded vehicle manufacturer that has publicly stated they are researching the self-driving market. What did XMotors get?According to Reuters, Xmotors has declared that their relationship with Zhang has been terminated and that he did not share any Apple trade secrets with the company. The company is cooperating with law enforcement in their investigation of Zhang’s theft of Apple’s trade secrets. What does the criminal complaint against Zhang tell us?The criminal complaint filed in support of the arrest of Zhang tells us that Zhang joined the secret autonomous vehicle team at Apple in December 2015. Zhang was a member of the “Compute” team and designed circuit boards to analyze sensor data. As a trusted insider, he had natural access to Apple’s trade secrets. From April 1-28, 2018, Zhang and family traveled to China, while Zhang was on paternity leave. When Zhang returned to work on April 30, 2018, he told Apple that he intended to resign and go to work for Xmotors. The supervisor brought in security; they chatted with Zhang and informed him that he was being terminated, immediately. They had him turn in his Apple devices and then escorted him out of the building. His devices included two iPhones and one MacBook.Apple’s protocol for terminated employeesThe Apple protocol, as described in the criminal complaint, is one every company should strive to emulate. They ordered a review of Zhang’s physical access to Apple’s buildings and rooms within the buildings, collecting a paper trail documenting his access to labs and R&D facilities. They ordered a review of Zhang’s intranet activity to document what areas of the company he accessed. Did he stay in his swim lane or go on an intellectual property treasure hunt? What did he print, what did he copy, where did he store data, and with whom did he communicate? It would all be available.They ordered the forensic review of his devices. This review would reveal in a crystal clear manner what external storage devices were attached and if data was moved from the network or device to the external storage device. As one would expect, they found his intranet activity in the days immediately prior to April 30 had increased exponentially when compared to the previous two years. The investigation showed he conducted broad sweeps, looking for documents and designs, and then downloaded those that caught his interest. In a nutshell, Zhang was in harvest mode. The review of the physical access logs showed him entering the autonomous vehicle lab late in the evening on Saturday, April 28 — the day he returned from China. Apple reviewed the security videos for that building and saw that Zhang was seen leaving the building with equipment.Impressively, they were able to do all the above within 24 hours. Apple reached out to Zhang and asked him to meet with them. He agreed. On May 1, 2018, the day after being walked out of the building, Zhang returned for this voluntary interview with Apple’s security and legal team. During the interview, Zhang admitted he had taken Apple’s intellectual property and stolen a Linux server and circuit boards from the lab. He also said that he passed the stolen information onto his wife’s laptop via an “air drop.” He said he would return the items. He departed Apple and returned within the hour with his wife’s laptop, which showed over 40 gigabytes of Apple data had been shared and that airdrop activity had occurred on both April 28 and 29. When asked if he had shared Apple’s information beyond his wife’s device, he said he had not. He was formerly terminated, voluntary termination they called it, on May 5.Enter the FBIOn June 27, 2018, the FBI interviewed Zhang. While they were interviewing him, a search warrant was served on his residence. He told the FBI that he knew that he would be turning in his Apple laptop upon resignation and wanted to save his work, so he copied it to personal devices. On July 7, the FBI learned (how not provided) he purchased a roundtrip ticket to depart that same day to China. Zhang never made it to China; he made it as far as the TSA checkpoint at Terminal B in San Jose. Lots of lessonsApple’s ability to conduct post-event investigations with copious amounts of data is clearly evident. In addition, their closing the loop on protection of intellectual property both at hire and fire provides the necessary paper trail that Zhang knew what he was doing was wrong, and it provides law enforcement with a nice package. Add to that Apple’s willingness to be a cooperative complainant, and the FBI and U.S. Attorney will have the information they need to pursue this case. Related content news analysis China’s MSS using LinkedIn against the U.S. The head of the U.S. National Counterintelligence and Security Center says China's MSS is using social networks, specifically LinkedIn, to target, access, and recruit U.S. sources. By Christopher Burgess Aug 31, 2018 4 mins Social Engineering Cybercrime Security news analysis Tesla insider with expired NDA spills the tech beans A former Tesla engineer with an expired non-disclosure agreement (NDA) shared inside technical information on an obscure forum, which was quickly shared across multiple social media platforms. By Christopher Burgess Aug 30, 2018 3 mins Risk Management Security news analysis Horizon Air tragedy highlights airline insider threat vulnerability The ease at which a Horizon Air employee was able to steal and crash a Bombardier Q400 turboprop will likely prompt airlines to develop an insider threat mitigation strategy to close this vulnerability. By Christopher Burgess Aug 13, 2018 4 mins Security news analysis How did the TimeHop data breach happen? Compromise of an employee's credentials, lack of multi-factor authentication, and weak insider threat analysis all played a factor in the recent TimeHop data breach in which 21 million user accounts were compromised. By Christopher Burgess Aug 10, 2018 4 mins DLP Software Analytics Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe