September 09, 2009

DuPont sues employee for trade secrets data breach

Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.

The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.

Meng was planning to take DuPont's proprietary information to Peking University in Beijing, which is involved in research on OLED technology, according to the report.

“When sensitive data is copied to an external hard drive, that typically is a policy violation,” Michael Maloof, CTO of TriGeo Network Security, told SCMagazineUS.com on Wednesday. “Why wasn't there an immediate alert when that external hard drive was attached?”

DuPont was hit by a similar incident several years ago, when a 10-year veteran of DuPont accessed more than 16,700 documents and more than 22,000 scientific abstracts, between August and December 2005, with the intention of giving them to Victrex, a DuPont rival. The culprit in that case, Gary Min, a native of China, eventually was sentenced to 18 months in prison.

“DuPont obviously did not learn much from the first case,” Maloof said. “Both these guys had access to sensitive data, and only long after the data was gone did they discover that the breach had occurred.”

A DuPoint spokesperson could not be reached for comment on Wednesday.

A database can be secure, but that doesn't help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.

“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com Wednesday. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”

Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.

“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don't forget about proprietary information databases.”

Related Articles
Related Topics
close

Next Article in News

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.