JHL Biotech’s theft of Genentech data holds lessons for infosec

On the surface, the case of Racho Jordanov, CEO of JHL Biotech (Eden Biologics), and COO Rose Lin appeared to be another case of industrial espionage. They targeted a technology they needed and then set about acquiring the technology. For many years they successfully stole Genentech’s secrets.

Shut off until 2018 with the indictment of Xanthe Lam and Allen Lam, wife and husband, who along with others were charged in October 2018 with stealing trade secrets from Genentech. Xanthe Lam was a senior scientist at Genentech, where she worked from 1986 to 2017. Allen Lam, her husband, worked in the company’s quality control department from 1989 to 1998.

The duo pleaded guilty in August 2021 to “receiving and possessing confidential proprietary information and trade secrets of Genentech” between 2011 and 2019.

Five years of insider theft

The guilty plea submitted by the Lams showed the pair conjuring up their secrets. Their cooperation was requested by Yordanov and Lin. Allen Lam joined JHL as a consultant in 2013 and his wife Xanthe continued to work at Genentech. The line isn’t hard to uncover: she passed Genetech’s secrets to her husband, who transferred them to JHL. Not only did she share her secrets with her husband; she shared the contents of her Genentech company laptop with JHL when she visited Taiwan and quietly visited JHL’s facilities for four weeks.

In fact, she was all in, as she was part of the interview team for one John Chan, a family friend who was hired by JHL to work on formulation development and was provided with information stolen about Allen Xanthes. From May 2014 to September 2016, she remotely oversaw Chan’s work at JHL.

Her approach within Genentech was JHL’s approach. Xanthe recommended that a former Genentech employee be hired as an “Engineering Manager” at JHL. Upon hiring, Xanthe provided manager James Quach with her credentials to access Genentech’s secure databases. Predictably, Quach downloaded interesting documents through July and August 2017.

The court document highlights that she continued to download and provide JHL with proprietary information from Genentech during her “fall 2017 termination of employment.” The Lams have not yet been sentenced.

The senior US District Judge Hon. In mid-March 2022, William Alsup of the Northern District of California sentenced the former CEO and COO of JHL Biotech to 12 months and one day in prison followed by a period of supervised release as punishment for stealing Genentech trade secrets and $101 million in wire fraud.

Genentech’s civil suit

Genentech sued JHL in October 2018 and the case was closed in December 2021. Genentech has been exonerated and, in theory, its trade secrets are protected from use by the people who stole the information and those who used it at JHL. Individual defendants are prohibited from working on specific research areas for varying lengths of time, with some ending in late 2028 and others of shorter duration (unless both parties agree on the research path).

Ethical dilemmas surrounding intellectual property

One of the most important hiring issues that any company must agree on with a new employee is ensuring that they do not intentionally or accidentally introduce another company’s intellectual property into your company.

Given the guilty pleas of the CEO and COO, there was clearly no ethical dilemma in JHL’s corporate culture about contributing the intellectual property of others to further the company’s plans, intentions and goals. That being said, what about the individual employees who weren’t part of the larger conspiracy? Where did they go when they discovered that the company’s research was rooted in Genentech information? The view from afar tells us the employee could be voting with their feet, alerting law enforcement and the company whose data was stolen, Genentech.

Infosec lessons from the JHL/Genentech case

Similarly, it must have been a surprise for Genentech to learn that one of its key scientists has shared significant amounts of its intellectual property with others over a period of many years. Undoubtedly, information security teams spent months conducting damage assessments in 2018.

Questions galore no doubt seeped up. One of the most important appears to be that the company laptop issued to Xanthe Lam, which she accessed during her four-week visit to JHL in Taiwan, was not registered as an anomaly. (Maybe their logins weren’t anomalous events using a VPN?) Another question: Was their own information gathering over the years or use of their login credentials to the sensitive databases considered anomalous?

The charges against the Lams indicate that Genentech’s infosec team had login files and access to emails that appeared to be used to tell the story of the theft, on which the multiple charges were based.

Genentech trusted its employees and these employees broke that trust. Apparently, once Genentech knew what was going on, they turned to law enforcement, embarked on a criminal course, and then filed civil suits to protect their intellectual property.

Organizations would be wise to invest in information security and related information protection policies, procedures and mechanisms to protect against the threat of a malicious insider. Otherwise, like Genentech, they will invest to act as a cooperative witness in the prosecution of corporate espionage and then chase their intellectual property through the legal system.

Copyright © 2022 IDG Communications, Inc.

Leave a Comment