Insider Threats

Qualcomm: ‘We’d Like Our IP Back, Please’

It was the third week of January 2022 and the offer letter was signed and accepted; Guarav Kathuria was on his way out the door to start the next chapter in his career and closing out his 12-plus years at Qualcomm. Nothing to see here—this scenario happens to thousands of engineers each month. Except, well, not quite.

The difference between Kathuria and any given rank-and-file engineer is that Kathuria stands accused by his former employer, Qualcomm, of stealing “confidential documents, processes, schematics, and diagrams related to the chips and software Qualcomm was designing” on his way out the door.

On March 15, 2022, Qualcomm filed a complaint with the United States District Court, Southern District of California, San Diego Division that sought to bar Kathuria (and those with whom he shared the company’s secrets) from using those trade secrets.

Kathuria Discovered by Qualcomm

On December 9, 2021, Qualcomm’s security personnel detected that Kathuria “transferred to his personal email account a zip file containing confidential and proprietary information related to the design of Qualcomm’s chipsets.” When confronted, he acknowledged what he did was wrong; that it fell outside acceptable practices and attested that he deleted the files.

On its face, it seemed the problem was solved.

The insider threat management processes worked. An employee acting outside the approved processes was detected and engaged. The employee’s explanation was apparently accepted, and in-the-moment schooling addressed the behavior.

In a perfect world, such would be the case—but wait, there’s more.

Kathuria waited a few weeks before doubling down; during the month of January 2022, he copied and exfiltrated dozens of files to his personal accounts. On February 1, 2022, Kathuria was formally interviewed as part of the investigation into his behavior. He admitted to copying hundreds of files but claimed he wasn’t stealing them and that they were for his own personal reference.

As the February 1 interview continued, Kathuria was pressed harder by investigators. It seemed he was unaware that his corporate email revealed he’d accepted a job offer with one of Qualcomm’s direct competitors (who was not further identified), and he finally admitted that he had, in fact, accepted a job offer from that competitor.

Kathuria’s Methodology

Kathuria was a trusted insider. His position as a lead engineer within the company provided him with unrestricted access to certain trade secrets. The company’s insider threat management program detected that he was uploading information to his personal email account and flagged the subsequent transfer of hundreds of files to other personal accounts. And at first, it seemed the information and the breach was contained.

But perhaps not; the complaint tells us that Kathuria deliberately circumvented the insider threat control processes designed to protect the company’s confidential information by screenshotting the information and then “transferring image files.”

Insider Threat Management

From the certainty of 20/20 hindsight, we see that while the Qualcomm insider threat playbook succeeded initially, it would appear that in the end, the playbook failed the company.

The original exfiltration of confidential information in December 2021 was apparently explained away in such a manner that the company did not immediately initiate a deeper investigation into this employee with more than 12 years of tenure. Nor, apparently, was Kathuria’s access to sensitive data restricted, leaving him free to try again.

The fact that the Qualcomm complaint revealed that the second instance of successful information exfiltration and theft to have occurred over the course of multiple days between January 8 and January 27 is indicative of an after-action damage assessment rather than an in-the-moment discovery.

The lack of in-the-moment action now has Qualcomm chasing their intellectual property via the legal system.

As of March 22, Kathuria has not yet been served the summons, nor responded within the legal system to the allegations made by Qualcomm.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

Recent Posts

CRM Backup Trends to Watch on World Backup Day

With World Backup Day approaching, many organizations are increasing their attention to potential security threats and blindspots in their backup…

3 hours ago

Exclusive: Waffle House Risk Index 1.0 Open For Public Comment Period

In collaboration with the WF Command Center, AZT has developed a new risk index designed to simplify communication associated with…

4 hours ago

Industrial Enterprise Operational Technology Under Threat From Cyberattacks

One in four industrial enterprises had to temporarily cease operations due to cyberattacks within the past year, suggesting operational technology…

4 hours ago

Is your roadmap prioritizing memory safe programming languages?

Cybersecurity agencies from five different national governments put out a plea in December for developers to use memory-safe programming languages.…

6 hours ago

Prioritizing Vulnerabilities: A Growing Imperative

Did a security breach just become your biggest nightmare? It’s a harsh reality for many companies. A whopping 76% of…

6 hours ago

Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086) Alert

NSFOCUS CERT has detected that details and a proof-of-concept (PoC) tool for a Linux kernel privilege escalation vulnerability CVE-2024-1086, have…

8 hours ago