Insider Theft of $119M worth of Coca Cola IP

Written by: Piers Shearman

Categorized: Insider Threat

Insider Theft

What happened?

An engineer who worked for Coca Cola and other manufacturers is alleged to have stolen valuable trade secrets in order to set up her own company in China using the stolen technology.

Xiarong You has been accused of insider theft and economic espionage from a number of large corporations including Coca-cola and Eastman Chemical. The thefts relate to Bisphenol-A- Free technology, used as “coating for use inside cans…that prevents the contents of the can from interacting with the metal surface of the can over time”.

According to the filing Xiarong You worked for Coca-cola for 5 years from 2012 to 2017 as a principal engineer for global research, her insider position which gave her access to trade secrets. She used this position to steal trade secrets claimed to have cost $119 million dollars to develop.

She also had access to other related trade secrets shared between Coca-Cola and other companies.

In 2017 Xiarong You applied for China’s Thousand Talents Program, an award used to identify and recruit experts in science and innovation around the world.. A June 2018 report from the National Intelligence Council declared the underlying motivation of the program to be “to facilitate the legal and illicit transfer of US technology, intellectual property and know-how” to China”. Benefits for the winners include a prestigious title as well as financial benefits and Visa privileges.

According to the US Department of Justice “The indictment alleges that Xiarong You, Liu, and a third co-conspirator formulated a plan in which You would exploit her employment with the two American employers to steal trade secrets and provide the information for the economic benefit of trade secrets the Chinese company that Liu managed, which would manufacture and profit from products developed using the stolen trade secrets.  In exchange, Liu would cause the Chinese company to reward Xiarong You for her theft, by helping her receive the Thousand Talent and another financial award, based on the trade secrets she stole, and by giving her an ownership share of a new company that would “own” the stolen trade secrets in China. “

How did Xiarong You exfiltrate the data?

Xiarong You allegedly stole the data by two methods; uploading the files to her personal Google Drive account as well as using her phone to take photographs of sensitive files displayed on screen. It is also alleged she also took photographs of laboratory equipment in order to assist in the development of their own lab. These were then stored on an external drive.

How was the insider theft discovered?

According to the filing Xiarong You was caught in possession of sensitive files on June 22nd 2018.  She is also charged with attempting to “cause a representative of Employer #2 to destroy evidence that She had copied to the external hard drive in her possession.” No further detail is given, but it sounds like some kind of social engineering attack was attempted.

What was Xiarong You’s motivation for insider theft?

Xiarong You’s motivations for insider theft appear to be both financial and reputational, to benefit from being part owners of a new tech company and to have the status and benefits of being a “Thousand Talent” winner.

What could the companies have done differently to prevent this insider theft?

Like many examples of insider theft, Xiarong You was one of a limited number of individuals vetted and authorised to access these files as part of her role as principal engineer. The data exfiltration was apparently initially not flagged by internal controls at any of the 5 organisations that she was able to extract data from.

More effective real time controls should have been able to spot this activity.

She was able to get this data onto her private cloud storage. Organisations should only allow access to company cloud storage on company devices. Users with access to sensitive data should only be able to access that data with company devices. Users should be prevented from installing additional software and access to sites should be controlled through appropriate whitelisting.

The copying of files could have also been flagged. Setting alarms for the photographing of data on a screen is harder but can be detected as the user interaction when photographing screens is very different to that of a normal reader or editor. For example, an employer might access 6 documents per hour for an average for 10 minutes, scrolling every 3 seconds as they read the information. Contrast this with someone who repeatedly opens a file, sets full screen, pauses 2 seconds to photograph, scrolls a full page, and repeats. This has a very inorganic, mechanical “fingerprint” as distinct from how we normally read or scan a document with our eyes.


Insider theft is at an all-time high. R&D is expensive and therefore valuable if stolen. Insider theft can be detected. Not all of your staff need access to commercially sensitive information, the ones that do need additional training and essential monitoring to ensure assets are protected.

Related articles: 

Insider Threat $800K Rogue Admin

Tesla Insider Threat Case (Khatilov)

Insider Threats: £4.6m in self-signed invoices

Related Content

Key risk indicators in cyber security

Understanding key risk indicators (KRIs) in cybersecurity In the constantly evolving landscape of cybersecurity, key risk indicators (KRIs) play a crucial role in measuring and […]

Read more