The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Scientist Stole Trade Secrets Before Joining Competitor

by Chris Brook on Thursday February 4, 2021

Contact Us
Free Demo
Chat

It wasn't until after the employee left that the company realized how many proprietary files he'd transferred to his personal email accounts and thumb drives.

Trade secrets on pharmaceuticals and medical research continue to be some of the most valuable data that healthcare organizations oversee, even more so in the months following the COVID-19 pandemic, a period that’s seen heightened instances of espionage and cyberattacks.

Time and time again in cases like these, when data is stolen internally, an employee is found either conspiring to steal or actually stealing valuable trade secrets, either to sell to a foreign country – China in many instances lately – or in order to give them a leg up at their next job.

That appears to be the case in one incident, disclosed several weeks ago by the U.S. Attorney's Office in the District of New Jersey. In a complaint filed on New Year’s Eve last year, a former Merck director was accused of stealing trade secrets about drugs shortly before he planned to leave Merck for a competitor, pharmaceutical giant AstraZeneca.

The employee, Shafat Quadri, faces up to 10 years in jail and a fine of up to $250,000 if he's convicted; he was released on a $100,000 bond last month. The DOJ announced the charges - stealing and illegally transmitting trade secrets - in January.

According to the Department of Justice, Quadri, who worked for Merck as the immune oncology department's director of medical and scientific affairs, copied and transferred thousands of files pertaining to biopharmaceutical clinical trials and cancer research before he left the company in September 2019.

While neither Merck nor AstraZeneca are named in the complaint, proprietary data relating to KEYNOTE119, a clinical trial related to KEYTRUDA, Merck's cancer immunotherapy drug, is mentioned in the court paperwork. Dates on Quadri's LinkedIn profile - leaving Merck in September 2019 to join AstraZeneca - coincide with the DOJ’s announcement as well.

Judging from the complaint, Quadri didn't go about his actions in the most sophisticated manner: He stole data by transferring it to USB devices - logs indicated that Quadri inserted a USB device on seven occasions and transferred 1,157 files - and by emailing documents – at least 12 of them – to his personal Gmail and Yahoo email accounts.

It doesn’t appear any of the file names were changed when Quadri emailed them; one attachment was marked C1-3475, aka MK-3475, the name of an immunotherapy drug, Pembrolizumab, Merck markets.

As if this wasn't blatant enough, on October 1, 2019, Quadri also used his old Merck email to send company files to his new AstraZeneca email address according to the DOJ. It's unclear why Quadri still had access to his Merck email, especially as his employment there had ended two days prior.

It wasn't until October 2019 that Merck realized something was afoot and contacted the FBI. An internal investigation carried out after he left the company revealed that Quadri stole company data, including research protocols, compound data, drug monitoring plans, and strategic plans like U.S. congress presentation plans.

The company had safeguards in place; Quadri signed documents and took trainings outlining his obligation to secure proprietary information. The company password protects sensitive documents, forbids the storage of company data on personal devices, and had no shortage of physical security measures in place. While the complaint claims the company had a DLP Tool implemented and reviewed NDLP logs, it wasn't until after he left that it realized the scope of Quadri’s data theft.

While it's certainly good Merck has evidence of their former employee's malfeasance – breadcrumbs an incident response team no doubt followed – it’s unfortunate the solution it had in place couldn't mitigate the problem - and stop the data theft in real time - in the first place.

It wasn't until Merck's security team carried out a forensic review of his laptop on October 8 - a month after he moved the files - that it determined Quadri had transferred hundreds of files via USB.

As one pharmaceutical trade secret theft story looks to be ramping up, another seems to be winding down.

Another research scientist, Li Chen, formerly of Nationwide Children’s Hospital’s Research Institute in Ohio, was sentenced to 30 months in prison on Monday. Chen plead guilty last July to conspiring to steal five trade secrets related to exosome research. Chen and her husband, Yu Zhou, were arrested in July 2019; the two worked at both worked at the hospital - but not together - for ten years, Chen from 2008 to 2018, Zhou from 2007 to 2017.

Court documents claim Chen received payments from China, including from the country's State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China for her work. She also started a company there with the stolen trade secrets.

Like Quadri, both Chen and Zhou used email to exfiltrate the data after stealing it; the two sent emails to China containing exosome-related data in the form of .JPGs, .PDFS, Powerpoint slides, Word, and Excel files.

Zhou plead guilty in December and is still awaiting sentencing.

Tags: IP theft

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.