Insider Threats

Qualcomm: ‘We’d Like Our IP Back, Please’

It was the third week of January 2022 and the offer letter was signed and accepted; Guarav Kathuria was on his way out the door to start the next chapter in his career and closing out his 12-plus years at Qualcomm. Nothing to see here—this scenario happens to thousands of engineers each month. Except, well, not quite.

The difference between Kathuria and any given rank-and-file engineer is that Kathuria stands accused by his former employer, Qualcomm, of stealing “confidential documents, processes, schematics, and diagrams related to the chips and software Qualcomm was designing” on his way out the door.

On March 15, 2022, Qualcomm filed a complaint with the United States District Court, Southern District of California, San Diego Division that sought to bar Kathuria (and those with whom he shared the company’s secrets) from using those trade secrets.

Kathuria Discovered by Qualcomm

On December 9, 2021, Qualcomm’s security personnel detected that Kathuria “transferred to his personal email account a zip file containing confidential and proprietary information related to the design of Qualcomm’s chipsets.” When confronted, he acknowledged what he did was wrong; that it fell outside acceptable practices and attested that he deleted the files.

On its face, it seemed the problem was solved.

The insider threat management processes worked. An employee acting outside the approved processes was detected and engaged. The employee’s explanation was apparently accepted, and in-the-moment schooling addressed the behavior.

In a perfect world, such would be the case—but wait, there’s more.

Kathuria waited a few weeks before doubling down; during the month of January 2022, he copied and exfiltrated dozens of files to his personal accounts. On February 1, 2022, Kathuria was formally interviewed as part of the investigation into his behavior. He admitted to copying hundreds of files but claimed he wasn’t stealing them and that they were for his own personal reference.

As the February 1 interview continued, Kathuria was pressed harder by investigators. It seemed he was unaware that his corporate email revealed he’d accepted a job offer with one of Qualcomm’s direct competitors (who was not further identified), and he finally admitted that he had, in fact, accepted a job offer from that competitor.

Kathuria’s Methodology

Kathuria was a trusted insider. His position as a lead engineer within the company provided him with unrestricted access to certain trade secrets. The company’s insider threat management program detected that he was uploading information to his personal email account and flagged the subsequent transfer of hundreds of files to other personal accounts. And at first, it seemed the information and the breach was contained.

But perhaps not; the complaint tells us that Kathuria deliberately circumvented the insider threat control processes designed to protect the company’s confidential information by screenshotting the information and then “transferring image files.”

Insider Threat Management

From the certainty of 20/20 hindsight, we see that while the Qualcomm insider threat playbook succeeded initially, it would appear that in the end, the playbook failed the company.

The original exfiltration of confidential information in December 2021 was apparently explained away in such a manner that the company did not immediately initiate a deeper investigation into this employee with more than 12 years of tenure. Nor, apparently, was Kathuria’s access to sensitive data restricted, leaving him free to try again.

The fact that the Qualcomm complaint revealed that the second instance of successful information exfiltration and theft to have occurred over the course of multiple days between January 8 and January 27 is indicative of an after-action damage assessment rather than an in-the-moment discovery.

The lack of in-the-moment action now has Qualcomm chasing their intellectual property via the legal system.

As of March 22, Kathuria has not yet been served the summons, nor responded within the legal system to the allegations made by Qualcomm.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

Recent Posts

Moving From ‘the log dustbin’ to Effective Security Operations

Guest Blog Post by Bryan Littlefair, CEO Cambridge Cyber Advisers former Global CISO of Vodafone... The post Moving From ‘the…

3 hours ago

ZTNA vs. VPN: What’s the Difference?

Ineffective. Obsolete. Unrealistic. These are just some of the words commonly thrown around by IT admins in response to perimeter-based…

3 hours ago

Manipulating Machine-Learning Systems through the Order of the Training Data

Yet another adversarial ML attack: Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy…

4 hours ago

BSides Prishtina 2022 – Poliksena Berisha’s ‘Governance, Risk And Compliance (GRC) And Role Of IT Auditing’

Our sincere thanks to BSides Prishtina for publishing their Presenter’s BSides Prishtina 2022 Information Security Conference videos on the organization’s’…

4 hours ago

How license plate scanners challenge our data privacy

As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy…

5 hours ago

Bad Bots and the Commoditization of Online Fraud

Fraudsters will stop at nothing to exploit your websites and customers, and with the accelerated shift to digital payments, online…

6 hours ago