It was the third week of January 2022 and the offer letter was signed and accepted; Guarav Kathuria was on his way out the door to start the next chapter in his career and closing out his 12-plus years at Qualcomm. Nothing to see here—this scenario happens to thousands of engineers each month. Except, well, not quite.
The difference between Kathuria and any given rank-and-file engineer is that Kathuria stands accused by his former employer, Qualcomm, of stealing “confidential documents, processes, schematics, and diagrams related to the chips and software Qualcomm was designing” on his way out the door.
On March 15, 2022, Qualcomm filed a complaint with the United States District Court, Southern District of California, San Diego Division that sought to bar Kathuria (and those with whom he shared the company’s secrets) from using those trade secrets.
On December 9, 2021, Qualcomm’s security personnel detected that Kathuria “transferred to his personal email account a zip file containing confidential and proprietary information related to the design of Qualcomm’s chipsets.” When confronted, he acknowledged what he did was wrong; that it fell outside acceptable practices and attested that he deleted the files.
On its face, it seemed the problem was solved.
The insider threat management processes worked. An employee acting outside the approved processes was detected and engaged. The employee’s explanation was apparently accepted, and in-the-moment schooling addressed the behavior.
In a perfect world, such would be the case—but wait, there’s more.
Kathuria waited a few weeks before doubling down; during the month of January 2022, he copied and exfiltrated dozens of files to his personal accounts. On February 1, 2022, Kathuria was formally interviewed as part of the investigation into his behavior. He admitted to copying hundreds of files but claimed he wasn’t stealing them and that they were for his own personal reference.
As the February 1 interview continued, Kathuria was pressed harder by investigators. It seemed he was unaware that his corporate email revealed he’d accepted a job offer with one of Qualcomm’s direct competitors (who was not further identified), and he finally admitted that he had, in fact, accepted a job offer from that competitor.
Kathuria was a trusted insider. His position as a lead engineer within the company provided him with unrestricted access to certain trade secrets. The company’s insider threat management program detected that he was uploading information to his personal email account and flagged the subsequent transfer of hundreds of files to other personal accounts. And at first, it seemed the information and the breach was contained.
But perhaps not; the complaint tells us that Kathuria deliberately circumvented the insider threat control processes designed to protect the company’s confidential information by screenshotting the information and then “transferring image files.”
From the certainty of 20/20 hindsight, we see that while the Qualcomm insider threat playbook succeeded initially, it would appear that in the end, the playbook failed the company.
The original exfiltration of confidential information in December 2021 was apparently explained away in such a manner that the company did not immediately initiate a deeper investigation into this employee with more than 12 years of tenure. Nor, apparently, was Kathuria’s access to sensitive data restricted, leaving him free to try again.
The fact that the Qualcomm complaint revealed that the second instance of successful information exfiltration and theft to have occurred over the course of multiple days between January 8 and January 27 is indicative of an after-action damage assessment rather than an in-the-moment discovery.
The lack of in-the-moment action now has Qualcomm chasing their intellectual property via the legal system.
As of March 22, Kathuria has not yet been served the summons, nor responded within the legal system to the allegations made by Qualcomm.
Guest Blog Post by Bryan Littlefair, CEO Cambridge Cyber Advisers former Global CISO of Vodafone... The post Moving From ‘the…
Yet another adversarial ML attack: Most deep neural networks are trained by stochastic gradient descent. Now “stochastic” is a fancy…
Our sincere thanks to BSides Prishtina for publishing their Presenter’s BSides Prishtina 2022 Information Security Conference videos on the organization’s’…
As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy…