Wednesday, December 1, 2021

The Lessons to Learn from Coca-Cola’s Insider Trade Secret Theft

 In today’s business, your data is your number one asset. For this reason it is important that you take steps to protect it. One case that accentuates this is the case of Xiaorong You, which is currently playing out in a Tennessee court. The accused is charged with stealing trade secrets and committing corporate espionage, as she is accused of allegedly stealing almost $120 million worth of BPA-free technologies from several companies, among them the Eastman Chemical Company and Coca-Cola.


Let’s take a look at how these two companies deployed their threat detection systems and the effect they had on the companies. 

You’s Story

Xiaorong “Shannon” You, a naturalized US citizen and Ph.D. in Polymer Science and Engineering, has worked at several companies since the early ‘90s. From December of 2012 to August of 2017, she worked for Coca-Cola as a principal engineer for global research, moving to the Eastman Chemical Company to work as a packaging application development manager from September of 2017 until June of 2018, when her employment was terminated.

During her tenure at both companies, You was given access to many trade secrets that only a handful of employees were privy to. In the indictment, You is charged with retaining these secrets (despite affirming that she hadn’t in writing) and then handing them over to the People’s Republic of China in an attempt to qualify for its The Thousand Talents program. This program has been used before to introduce advanced technologies to China, with the Department of Justice having prosecuted some cases similar to You’s.

Her modus operandi was that she retained this information by simply uploading data to her personal Google Drive account or captured especially sensitive information on her smartphone. Once she captured this data, You worked with a Chinese national named Xiangchen Liu to form a separate company in China that went ahead to use these trade secrets to begin revenue generation. They allegedly used an Italian BPA-free manufacturer to incorporate the stolen technologies onto their own products.

The theft of this information impacted several companies, including Coca-Cola and The Eastman Chemical Company, AkzoNobel, Dow Chemical, PPG, TSI, Sherwin Williams, and ToyoChem. This led to the charges she currently faces.

How You’s Employers Could Have Stopped Such Activities

There were stark differences between the way that Coca-Cola and The Eastman Chemical Company handled these issues. You left Coca-Cola in August of 2017, but her indictment states that the crimes she’s charged with didn’t happen until 2019. This means that Coca-Cola had no knowledge of the theft until after she had been exposed by her later employer. 

This fact is indicative of two reasonable hypotheses:

  1. Coca-Cola lacked the tools to detect such activities in real-time, making it far more difficult to prevent protected and sensitive data from successfully leaving the corporate environment.
  2. Coca-Cola also lacked the policies that could have prevented non-authorized devices from entering the workspace or otherwise being kept in proximity to sensitive company data or infrastructures. While old-fashioned, the concept of taking photographs of such information is no less effective for its age.

If you compare that to You’s sudden dismissal from the Eastman Chemical Company, you would have to consider that they had the data protection standards implemented to catch would-be thieves pretty rapidly.  If they hadn’t, the $120 million in trade secrets could have been substantially more. 

This just goes to show that any business can have the right idea about security, but not pay close enough attention to the details. Coca-Cola is a massive brand, but it couldn’t stop You from allegedly raking the company over the coals. 

No comments:

Post a Comment