If at first you don’t succeed, try, try again.
It’s a storied proverb but also from time to time, unfortunately, the modus operandi for hackers and cybercriminals.
This is apparently exactly what one former employee at a popular biotechnology firm did in order to steal trade secrets. He was stopped twice by the company's security system but after changing his technique, he was successful.
The data theft revolves around sensitive trade secret information belonging to AbbVie, the multi-billion-dollar biopharmaceutical company and the manufacture of its best-selling drug, the immunosuppressive HUMIRA, or adalimumab.
According to a court filing from last Friday, AbbVie alleges that Alvotech, another drug company based in Iceland, was looking to enter the U.S. market with its own version of HUMIRA but cut corners to do so. Alvotech's plan hinged on hiring an AbbVie employee, Rongzan Ho, and in turn, his privileged access to details around the large-scale manufacturing of the drug.
Ho, who was working as a team leader for upstream manufacturing of HUMIRA, was recruited by Alvotech and joined the company as soon as he was offered the job in 2018. Despite agreeing to take the job, he was still employed by AbbVie and would continue to work there for several other weeks.
Ho had keen knowledge around how to manufacture the drug; he helped set up the company’s plant in Singapore, learned which approaches worked and didn't work, how to optimize production, and which errors and inefficiencies to avoid. He also had privileged access to sensitive documents on equipment, standard operating procedures, training programs, trial, development, and engineering process runs, and process validation.
According to the indictment, before leaving AbbVie Singapore, Ho tried to steal confidential and proprietary trade secret data three times. The company's security systems caught him twice when he tried to send his personal Google email an email with the subject line "Useful Information." When that didn’t work, he renamed the email "Keep in touch (AbbVie),” something that was able to sidestep protocols the company had in place.
Attached to the email were files about AbbVie's upstream manufacturing process for HUMIRA, data-rich Excel spreadsheets, information about the timing of process parameters, cell culture process parameters and conditions, logistical information and materials for laboratory operations, among other trade secrets.
He also, as to not draw attention to the theft, claimed upon leaving AbbVie that he'd taken all of the company's information off his computer, storage, and email services. He also hid the fact he was going to work for Alvotech, instead he lied and said he was leaving the company for career development.
While at Alvotech, Ho reportedly did a lot of the same jobs he did at AbbVie – overseeing upstream manufacturing - largely to fuel the creation of a HUMIRA copycat, AbbVie alleges.
AbbVie's patents around Humira expire in 2023 and other U.S. companies with biosimilar drugs are expected to compete with it. The lawsuit alleges Alvotech couldn’t make the steps they made, making more or less the same drug in the same dosage, in the time it did, without AbbVie’s trade secrets.
The theft of course went against a series of confidentiality and non-disclosure agreements signed by Ho. While these agreements, along with policies like marking certain files as confidential, distributing information on a need to know basis, and so on were supposed to prevent incidents like this, they did nothing to prevent Ho from actually stealing the data
While the trade secrets were stolen by Ho in Singapore, the email server for the facility and the backup server for the company's file share server were based in Alpharetta, Georgia, meaning the secrets were stolen from the U.S., not Singapore.
AbbVie says Ho wasn't the last to get recruited by Alvotech; two others were lured to work for the comapany last May, according to the complaint.
“A recruiter reached out on behalf of Alvotech to one or more AbbVie employees and specifically inquired about work on Alvotech’s biosimilar to AbbVie’s HUMIRA® as part of the job description," the document reads.
While the document doesn't get into what kind of security systems AbbVie had in place, the fact that it sounds like it blocked content by subject line and not by the content in the email - like sensitive attachments – raises some questions. The fact that Ho was able to circumvent the systems as easily as he did raises questions too.
Having policies and procedures for IP protection can safeguard sensitive, valuable data and prevent it being moved in the first place.
The story bears some similarities to another biotech trade secret theft case from earlier this year in which a Merck director was stealing trade secrets about another immunotherapy drug, Keytruda, shortly before he planned to leave the company for a competitor, AstraZeneca.
In that case, the employee purportedly took research protocols, compound data, drug monitoring plans, and strategic plans by transferring them via USB device and email.
It wasn't until the company performed a forensics review of the employee's laptop that it determined there was data loss.
