Phillips 66 – Battery Systems
Summary
Hongjin Tan, an employee of Phillips 66 committed theft of trade secrets by downloading Phillips 66’s intellectual property related to lithium based battery systems to a personal USB device with the purpose of selling and producing under employment for a Chinese based company, Xiamen Tungsten.
Indicators of Compromise
- Travel to a High Risk Country: 9/15/18 – 9/30/18, Tan traveled to Beijing, China.
- Discovery: Tan was able to search for and download information he had no need to access as part of his job.
- Employment Offer: Tan stored an offer letter on his Philips 66 work computer.
- Theft of Data: Trade secret information was transferred to a personal USB device.
- Exiting Employee: An employee exiting an organization presents a significant risk for data loss.
- Aging Parents: During his exit interview, Tan said he was returning to China to be with his aging parents. Aging or sick parents is used as a reason for travel in many insider threat cases.
Lessons Learned
👍 Exit Review:
Phillips 66 performed a review of data loss prevention logs as soon as they were notified of the employees exit.
👍 Promptly Notified FBI
Phillips 66 notified the FBI the day after Tan gave his notice and they found out he may have stolen their intellectual property.
👍 Reporting Mechanism
The employee who dined with Tan felt comfortable enough to disclose to Phillips 66 concerning information about Tan.
👎 USB Access
Tan was able to not only transfer data to a USB device when he had no need, he was able to transfer to a personal USB device.
💡 Companies should block USB devices from reading or writing to a company computer by default. If exceptions need to be made, implement a policy where employees must use a company issued, encrypted USB device.