Both NVIDIA and Valeo (a global automotive parts and technology supplier) have learned the hard way that it’s all too easy for employees to exfiltrate valuable intellectual property (IP), and other sensitive data when they leave an organization.
This week, Valeo filed a lawsuit against NVIDIA, alleging that a former employee stole six gigabytes of source code relating to parking and driver assistance technologies (as well as presentations and spreadsheets relating to the technology) and that NVIDIA has financially gained from its “stolen trade secrets.”
The issue came to light this year when the two firms embarked on a joint project. During a Microsoft Teams video call, the former Valeo employee (now at NVIDIA) shared his screen, accidentally exposing a folder and file containing the Valeo source code.
Valeo employees on the call immediately recognized it, took a screenshot of the offending data, and reported the incident. The former employee was subsequently convicted by German authorities over unlawfully holding the data, and his new employer, NVIDIA, was subjected to a lawsuit.
“NVIDIA has saved millions, perhaps hundreds of millions, of dollars in development costs, and generated profits that it did not properly earn and to which it was not entitled,” the complaint alleges.
The issue is not a new one, in fact, we wrote about the threat of leavers to organizational data last year. But, this story puts into perspective the very real danger and financial impact that intellectual property theft can have on both the exited company, and also a new employer – who may very well be completely unaware that stolen IP has been introduced to their organization.
Valeo’s lawsuit alleges that the former employee downloaded source code without authorization by granting access to Valeo’s systems to his personal email account. He was then able to exfiltrate the data. It is not specified in the lawsuit, but, given the size of the data (over six gigabytes), we must assume that it was copied to removable media or transferred to a personal cloud store.
Interestingly, the lawsuit outlines Valeo’s technologies and process to protect IP – although this seems to have not been enough to mitigate the risk. The information points to the use of access controls within Google Drive that the employee managed to circumvent.
Can DLP protect Intellectual Property?
Tools like Endpoint Protector by CoSoSys are designed to combat data loss that occurs either through accidental oversharing by employees, or maliciously. Policies can be built to protect common PII and PHI types, as well as company specific IP – including source code.
It achieves this by protecting common data exit points on Windows, macOS, and Linux endpoints. These include email, messaging apps such as Slack and Microsoft Teams, browser uploads to cloud apps, printers, removable storage media, and more. Even if employees try to circumvent controls, perhaps by renaming files, trying to take screenshots, or printing files, Endpoint Protector allows organizations to monitor and protect data at the endpoint – even when employees go offline. This gives organizations the visibility and control they need to control sensitive data and eliminate the risk of data leaving the endpoint.
Employers should be aware of the risks that new employees may bring with them
NVIDIA’s situation also highlights the need for employers to be aware of the data that new employees bring with them. Typically, there’s no malice behind their actions. It’s simply a desire to keep hold of data that could benefit them in their new role. Perhaps a list of potential sales contacts, or, simply, some examples of their work they’d like to keep for reference. Of course, that’s not to say it’s all without malice. There are plenty of examples of employees taking confidential information with them to a new employer, just as this case highlights.
Either way, the result is a loss of data for the original employer, and potential financial penalties for the new employer.
eDiscovery can identify data-at-rest on employee endpoints
NVIDIA claims that it has not benefited in any way from the stolen data and that it resided on the employee’s endpoint (laptop) only. Tools such as Endpoint Protector’s eDiscovery module scans employee endpoints for sensitive data and allows security administrators to encrypt or delete it. This neutralizes any risk of that data later being exfiltrated, or putting the employer at risk of breaking any regulatory requirements (e.g., GDPR, NIST, HIPAA).
Request a demo of Endpoint Protector to learn more about how you can protect your data from unauthorized exfiltration, and mitigate the risk of leavers taking your intellectual property with them
Explore More on Insider Threat Management
Interested in diving deeper into the world of Insider Threat Management? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.