What Can Be Learned from Coca-Cola’s Security Oversight?

What Can Be Learned from Coca-Cola’s Security Oversight?

Data is one of—if not the—most essential resources a business has, which means it is essential that you take the steps to protect it in every way possible from every potential threat. This includes those that could originate from within your own organization. Let’s consider the case of Xiaorong You, who was recently convicted of conspiracy to commit trade secret theft by a federal jury.

You were found guilty after being accused of stealing nearly $120 million in BPA-free technologies from assorted companies, including Coca-Cola and the Eastman Chemical Company. Each of these companies had threat detection systems intended to prevent such activities, but the approach that each took proved to have different effects. Let’s consider the situation, and what we can learn from the threat detection practices that each company seems to have had in place.

Introducing Xiaorong “Shannon” You

You is a naturalized US citizen who holds a Ph.D. in Polymer Science and Engineering, a degree that enabled her to work for several companies since the early 1990s. Starting in December of 2012, You served as a principal engineer for global research for Coca-Cola until August of 2017. After that, she transitioned to the Eastman Chemical Company to take a position as packaging application development manager, where she worked from September of 2017 until her employment was terminated in June of 2018 upon the discovery of her activities.

While she held these positions, You had access to various trade secrets—many of which were only shared amongst a small group of employees. Despite her written affirmation that she had not retained any of these secrets, You had in fact done so and shared them with the People’s Republic of China in an application to The Thousand Talents program. This program has been used in the past to bring advanced technologies to the country and has been linked to other such cases that have been prosecuted by the Department of Justice.

You stole this data by simply uploading it to her personal Google Drive storage, occasionally photographing particularly sensitive information with her personal smartphone. Once she had this data, You collaborated with a Chinese national named Xiangchen Liu to create their own company in China to monetize these secrets. Co-opting an Italian manufacturer, the stolen BPA-free technology was then incorporated into their own products.

Several companies were ultimately impacted by these activities: naturally, Coca-Cola and Eastman Chemical, as well as AkzoNobel, Dow Chemical, PPG, TSI, Sherwin Williams, and ToyoChem.

What Could Have Prevented These Threats?

To be clear, Coca-Cola and The Eastman Chemical Company were notably different in how able they were to handle these kinds of insider threats. While You had left Coca-Cola by August of 2017, she was not indicted for these crimes until 2019—after she had already been exposed by Eastman Chemical.

This suggests that, until her activities were brought to light, Coca-Cola had no idea such things had happened under their roof. In turn, this suggests that:

  • Coca-Cola wasn’t using the tools that could have detected these activities in real-time, and as a result did not have the means to keep their sensitive data from leaving the corporate infrastructure and environment.
  • Coca-Cola also had no policies in place to keep non-authorized devices away from sensitive data. As You demonstrated, the relatively low-tech method of photographing data can still be highly effective.

Now, comparing You’s departure from Coca-Cola to her dismissal from the Eastman Chemical Company, it seems clear that the latter organization did in fact have the means to detect her activities in place. Otherwise, that sum of $120 million could have been substantially more.

Even if a business is serious about its security, it could all be for naught if the small details go unnoticed. There is no denying the size and influence that Coca-Cola possesses, but that did little to stop You in her efforts.

Vudu Consulting can help your business protect its data the way it needs to be protected, against threats from all angles. To learn more about the solutions and services we offer, give us a call at 866.640.0557.