Insider Signal - 2021.04

In our second issue, we cover more economic espionage, a $250M slush fund, customer and vendor data exposure via cloud misconfiguration, and failure to disable accounts for terminated employees.

Researcher Swipes Trade Secrets from Coca-Cola and Six Vendors

In early April 2021, a criminal trial opened in U.S. District Court in Greeneville, Tennessee, against 57-year-old Xiaorong You (aka Shannon You) alleging 11 counts, including conspiracy to commit economic espionage, and conspiracy to steal trade secrets, and theft of trade secrets.

You, who worked at The Coca-Cola Company from 2012 to 2017 as principal engineer for global research, allegedly stole trade secrets from several Coca-Cola vendors and partners while working at Coca-Cola in Atlanta. Those vendors included Dow Chemical, Sherwin Williams, PPG, Azko-Nobel, TSI, and ToyoChem. Upon leaving Coca-Cola, You signed a document attesting she hadn't retained proprietary information from the beverage giant. You then allegedly committed similar offenses at Eastman Chemical Company, where she worked from September 2017 through June 2018 as a packaging application development manager.

You allegedly stole bisphenol-A-free (BPA-free) technologies owned by several companies, including Coca-Cola. These technologies, estimated to be worth $119.6 million, relate to flavor-preserving compound that coats the inside of beverage cans to help preserve taste and prevent corrosion. According to the Department of Justice, You planned to set up her own company in China to capitalize on her theft of these technologies under that nation's "Thousand Talents" program.

You was originally indicted in 2019 but a superseding indictment added conspiracy charges the following year. Coca-Cola had agreements with other companies to conduct research and development, testing, analysis and review of different BPA-free technologies.

The DOJ claims that before leaving Coca-Cola, You uploaded confidential documents to her Google Drive account. Other documents she photographed with her smartphone. Those documents contained the BPA-related trade secrets belonging to Coca-Cola and its partners/vendors. While working at Eastman Chemical Company, You took photographs of laboratories, purportedly to learn what type of equipment she would need to replicate at her own business. On the verge of discharge, she uploaded BPA-free research to an external drive. You allegedly traveled to China in 2017 and 2018 to personally deliver the collective information to Chinese officials.

Analysis Highlights

  • The case drives home the importance of having a real-time insider-threat-detection program.

  • While Coca-Cola has a strong culture around preserving its trade secrets, it is likely You's greed and ties to her home country trumped those efforts.

Deeper Analysis

  • Real-time detection measures, such as notifying the IT department when a USB drive is connected to a company computer's port, could have thwarted the theft.

  • Companies might consider limiting access to confidential information to specific workstations. Those workstations could then be constantly surveilled by video or by on-site security staff.

  • Coca-Cola and Eastman could have prohibited You from bringing any kind of camera and recording device near sensitive information and facilities. Some facilities collect phones upon arrival or require storage before an employee enters secure space, but these restrictions are very hard to enforce. Miniature cameras can easily be hidden. Employees may turn in one smartphone before entering a secure area but retain a second. The shooting at the FedEx center in Indianapolis in April 2021, in which family members waited in agony for hours to find out about loved ones because staff was prohibited from having phones at work, raises questions about depriving staff of their devices.

  • Organizations should have a procedure in place to investigate potential information theft by departing employees, including retaining access to their email accounts and looking through messages, promptly reviewing new messages sent to those accounts, and auditing their network activity.

Psst: Would you benefit from our Deeper Analysis section for the other three featured stories each month? Want to help ensure iThreat and Mike Gips are able to keep bringing you news and analysis of important insider threat incidents? If so, we would appreciate you becoming a paid subscriber to the Insider Signal Plus version of the newsletter!

Sources & Additional Information

  1. https://www.csoonline.com/article/3613953/coca-cola-trade-secret-theft-underscores-importance-of-insider-threat-early-detection.html

  2. https://www.wsj.com/articles/chinese-born-u-s-citizen-charged-with-stealing-trade-secrets-11550177074

  3. https://cen.acs.org/materials/polymers/Chemist-convicted-of-stealing-BPA-free-can-liner-trade-secrets-for-a-Chinese-firm/99/web/2021/04

  4. https://www.msn.com/en-us/news/world/chinese-born-chemist-convicted-of-stealing-dollar120m-in-us-trade-secrets-for-ccp/ar-BB1fWTSq

  5. https://www.washingtontimes.com/news/2021/apr/23/former-coca-cola-worker-convicted-conspiracy-commi/


Petrochemical CEO Misappropriates $250 Million

José Carlos Grubisich, former CEO of Brazilian petrochemical company Braskem, pleaded guilty in U.S. federal court to diverting $250 million of company money into a slush fund to pay off government officials and others. He pleaded guilty to two counts of conspiring to violate the U.S. Foreign Corrupt Practices Act.

Grubisich, age 64, admitted to paying $4.3 million in bribes to an official at Brazil’s state-controlled oil company Petrobras for Braskem to secure a 2005 contract to operate a polypropylene plant. Offshore shell funds were created to help divert funds.

Grubisich created a slush fund called Caixa 2. He certified Braskem’s 2006 and 2007 annual financial statements to the U.S. Securities and Exchange Commission although they inaccurately represented the company’s finances and concealed the fraud.

Analysis Highlights

  • The activities at the heart of this case occurred 15 years ago!

  • Grubisch's lawyers argued that, at the time, facilitation payments were part of Brazilian culture.

Sources & Additional Information

  1. https://www.justice.gov/usao-edny/pr/former-ceo-braskem-pleads-guilty-bribery

  2. https://www.reuters.com/article/braskem-ceo-plea/update-2-former-ceo-of-brazils-braskem-pleads-guilty-in-u-s-bribery-case-idUSL1N2M827G


Indian Supply Chain Company Exposes Massive Amounts of Customer Data

Bizongo, a Mumbai-based B2B marketplace where organizations buy and sell material packing solutions, reportedly exposed approximately 2.5 million files containing customer information stored in the cloud.

Among exposed data were names, addresses, phone numbers, and financial information of customers such as Carnival Group, Flipkart, Delhivery, and Neolite.

The incident is most likely the result of a Bizongo staff person misconfiguring Amazon AWS cloud systems.

Both website creation firm Website Planet and Amazon Web Services notified Bizongo of the vulnerability in December 2020. Bizongo claims to have secured access to the exposed server within hours of notification.

Analysis Highlights

  • There is reportedly no indication that any of the exposed data was accessed.

  • The data could be used for Phishing, Identity Theft, Fraud, Corporate Espionage, and other nefarious purposes.

Sources & Additional Information

  1. https://inc42.com/buzz/bizongo-fixes-leak-that-exposed-data-of-jio-flipkart-others/

  2. https://www.websiteplanet.com/blog/bizongo-breach-report/


Case Worker for Children Investigated for Sex Offenses Breaches Government System 260 Times

A former contract case worker for the Australian province of Victoria, who had been investigated for having child pornography on his laptop, was found to have entered the province's IT system 260 times within a year after ceasing to work there. The system included records of children considered to be vulnerable and/or high risk.

In an investigation, the Office of the Victorian Information Commissioner's documented the breaches at the former Department of Health and Human Services (DHHS), which occurred between September 2017 and October 2018. The unidentified culprit, who accessed the files of 27 children, worked for the contractor from April 2016 to September 2017.

Access was finally terminated in October 2018, when an employee noticed the issue.

Analysis Highlights

  • A watchdog agency said the breach was caused by "a failure of [the culprit's] supervisor to initiate the process to terminate...access...when he no longer needed access to the system."

  • The agency said that the failure "was due to an inadequate handover when one manager departed the role and another took over."

  • There were no processes in place to ensure access privileges were revoked when the contractor relationship ended.

Sources & Additional Information

  1. https://www.itnews.com.au/news/ex-contractor-accessed-vic-govt-it-system-260-times-a-year-after-leaving-562038

  2. https://www.abc.net.au/news/2021-03-13/former-contractor-accessed-vic-government-child-data-260-times/13243230


More Insider Threat Stories

IT Contractor Deleted Company’s Microsoft User Accounts

Deepanshu Kher, an IT contractor, was sentenced in late March to two years in prison for deleting more than 1,200 of 1,500 Microsoft User Accounts of the Carlsbad Company, for whom Kher was working on a migration to Office 365. Kher’s employer pulled him from the job when Carlsbad expressed dissatisfaction with his work. About four months late, the IT firm fired him. Three monhs later, Kher hacked into Carslbad's server and deleted more than 1,200 Office365 accounts, shutting down the company for two days. Staff could not access email, calendars, documents, conferences, or virtual environments. Customers, vendors, and the public could not reach Carlsbad staff. The problems lingered, in lesser severity, for three months. Kher was ordered to pay $567,084 in restitution. Source: https://www.justice.gov/usao-sdca/pr/it-contractor-sentenced-two-years-deleting-carlsbad-company-s-microsoft-user-accounts

Ex-Fed Employee Stole Proprietary Info on Bank Stress Tests

Venkatesh Rao, 67, of Bethesda, Maryland, pleaded guilty in March 2021 to theft of government property from his ex-employer, the Board of Governors of the Federal Reserve System. In, 2019, the Fed informed Rao, an economist, that his work did not meet standards. Rao decided to resign. During five weekend days in November 2019, Rao entered the Fed building in Washington, D.C. 16 times and printed more than 50 restricted government documents from his workstation and took them home. The documents contained proprietary information used by the Fed to conduct bank stress tests. Source: https://www.bloomberg.com/news/articles/2021-03-19/ex-federal-reserve-employee-admits-to-stealing-bank-stress-data

Home Health Care Companies in Lawsuit Over Theft of Trade Secrets

Home health care provider CareCentrix has filed suit against rival Signify Health, claiming Signify recruited CareCentrix executive, Marcus Lanznar, to obtain confidential information and secrets. The suit further alleges Lanznar surreptitiously worked with Signify while still employed by CareCentrix to pass competitive information to Signify, which was preparing to go public. According to the suit, exfiltration techniques included embedding photos of CareCentrix documents in other materials and sending them to Signify. Signify denies the charges. Source: https://www.healthcareitnews.com/news/carecentrix-files-corporate-espionage-lawsuit-against-signify-health

Ex-State Department Employee Trafficked Counterfeits from Embassy

A former U.S. State Department staff member and his wife were sentenced for conspiring to traffic counterfeit goods through e-commerce accounts that they operated via State Department computers at the U.S. Embassy in Seoul, Korea. Gene Leroy Thompson Jr., 54, and Guojiao “Becky” Zhang, 40, each pleaded guilty to one count of conspiracy to traffic in counterfeit goods. Thompson received 18 months in prison and three years of supervised release. Zhang received three years of supervised release. They were also ordered to forfeit $229,302. Thomson served as an Information Programs Officer at the Seoul embassy. Between September 2017 and December 2019, using a State Department, computer, the couple sold counterfeit goods on e-commerce platforms. He created multiple accounts under pseudonyms after some e-commerce platforms suspended the couple’s accounts for fraud. Source: https://dailycaller.com/2021/03/18/u-s-state-department-south-korea-justice-department/

Risk Manager Defrauds Employer

David Kramer, 42, pleaded guilty to five counts of wire fraud and received a two-year sentence for defrauding his employer, Enterprise Holdings, a rental car company. In his role of risk manager in south Florida, Kramer solicited checks from accounts payable for fictitious and fraudulent expenses, ascribing the requests to local agencies and organizations, including sheriff's offices, the Florida Department of Transportation, and courthouses. He would deposit these checks in his personal account, using the funds for vacations, jewelry, and clothing. He submitted at least 694 fraudulent requests for more than $1.5 million. Source: https://www.justice.gov/usao-edmo/pr/judge-sentences-rental-car-company-manager-scheming-defraud-his-employer

Tennessee Fire Fighter Charged With Easter Church Arson

Codie Austin Clark, 25, a former volunteer fire fighter was arrested for setting fire to New Salem Presbyterian Church in Weakley County, Tennessee. The arrest culminated an internal investigation after several suspicious fires in the area. Source: https://apnews.com/article/fires-tennessee-arson-df45ec983200e159c4b190240b9d8a12

Employee Attacks Texas Cabinet Plant

A shooting by a staff member at Kent Moore Cabinets plant in Bryan, Texas, killed one person and injured five others. The shooter, Larry Bollin, 27, targeted male employees working in the bays where employees make cabinets. Fleeing the scene, Bollin shot and wounded a state trooper. The suspect was apprehended later the same day. Bollin's attorney has suggested bullying precipitated the attack. Source: https://www.click2houston.com/news/local/2021/04/14/attorney-for-suspect-in-bryan-shooting-says-bullying-may-have-led-up-to-rampage/

Security Guard Gets 25 Years for Involvement in Violent Robbery

Security officer David Jerome Delce received a sentence of 25 years in prison for the violent robbery of a woman outside a Lubbock, Texas, game room in December 2017. The victim, an employee of the game room, was leaving work and walking to her car with a second woman. A man hit her in the back of the head three times with a gun, stole money from the woman, and ran to his vehicle. A second woman had her purse stolen. Surveillance video showed two other men outside the game room, including Delce. The jury concluded that Delce was working with the other two suspects. Source: https://www.kcbd.com/2021/04/12/jury-selection-begins-man-accused-aggravated-robbery-outside-gameroom/

Nursing Home Employee Charged with Stealing from Residents

Valerie Nicole Williams, 31, has been charged with felony Financial Exploitation of an Elderly Person and Financial Exploitation of a Vulnerable Adult. As business officer coordinator at Transitions Healthcare Capital City, a nursing facility in Washington, DC, Williams stole $7,421 from seven elderly residents and four vulnerable adult residents. She forged signatures of these residents to access accounts managed by the facility. She also stole two money orders. Source: https://www.justice.gov/usao-dc/pr/former-nursing-home-employee-and-home-health-aide-arrested-two-separate-cases-involving

Italian Navy Captain Arrested for Spying for Russia

Walter Biot, 54, an Italian Navy captain, was arrested during a secret meeting with a Russian military attaché after allegedly transferring a USB stick in return for 5,000 euros. The USB drive was said to contain 181 photos of classified documents including nine highly confidential files and 47 secret NATO documents. Biot's wife said that the captain acted under severe financial distress caused in part by economic difficulties arising from Covid-19. Source: https://www.bbc.com/news/world-europe-56600959


We Want Feedback!

How are we doing? Are you enjoying our content and insights? Are there specific stories you’d like us to cover? We would love your feedback via insidersignal@ithreat.com. With your permission, we may even publish it!