Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.
The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.
Meng was planning to take DuPont's proprietary information to Peking University in Beijing, which is involved in research on OLED technology, according to the report.
“When sensitive data is copied to an external hard drive, that typically is a policy violation,” Michael Maloof, CTO of TriGeo Network Security, told SCMagazineUS.com on Wednesday. “Why wasn't there an immediate alert when that external hard drive was attached?”
DuPont was hit by a similar incident several years ago, when a 10-year veteran of DuPont accessed more than 16,700 documents and more than 22,000 scientific abstracts, between August and December 2005, with the intention of giving them to Victrex, a DuPont rival. The culprit in that case, Gary Min, a native of China, eventually was sentenced to 18 months in prison.
“DuPont obviously did not learn much from the first case,” Maloof said. “Both these guys had access to sensitive data, and only long after the data was gone did they discover that the breach had occurred.”
A DuPoint spokesperson could not be reached for comment on Wednesday.
A database can be secure, but that doesn't help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.
“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com Wednesday. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”
Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.
“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don't forget about proprietary information databases.”