Former DuPont worker gets 18-month sentence for insider data thefts

Federal judge also orders scientist to pay $45,000 in fines and restitution

A former DuPont research scientist who admitted a year ago that he illegally accessed and downloaded confidential documents valued at close to $400 million while he worked at the company was sentenced yesterday to 18 months in prison.

A U.S. District Court judge in Wilmington, Del., also ordered Gary Min, the scientist, to pay a $30,000 fine and $14,500 in restitution to DuPont. The sentence is substantially less than the maximum of 10 years in prison and a $250,000 fine that Min could have received.

Min, who also uses the first name Yonggang, pleaded guilty last November to stealing trade secrets from DuPont. His guilty plea became public in February, when the U.S. attorney's office in Delaware officially unsealed court documents relating to the case. Min originally was scheduled to be sentenced on March 29, but the sentencing was delayed until this week.

Robert Kravetz, an assistant U.S. attorney in Delaware, said Min's sentencing was put off while prosecutors held about 10 debriefing sessions with him in an effort to "get a handle on all of the DuPont technology that he had access to" and how much of the downloaded information had been transferred to systems given to Min by the company he joined after leaving DuPont.

Kravetz called Min's sentence fair and said that the case shows why it's important for companies to quickly contact law enforcement authorities when data breaches occur. "DuPont reached out at the outset, and that ensured that none of the technology [data] was disseminated," he said. "What DuPont did here was a really good job."

Federal agencies such as the FBI and the U.S. Department of Commerce have investigative tools at their disposal that companies typically don't have, Kravetz added. As a result, they're in a better position to resolve cases such as the one involving Min, he said.

The DuPont case highlighted the security dangers that organizations can face from trusted insiders. Min started working at DuPont in November 1995 and focused mainly on research involving a certain type of high-performance film. Then, in June 2005, he started talking with a U.K.-based company called Victrex PLC about possible job opportunities in Asia, according to court documents.

Min accepted a job with Victrex in October 2005 but didn't notify DuPont that he would be leaving until that December. Court records show that during the time he was in discussions with Victrex and for two months after he agreed to join that company, Min used his privileged access at DuPont to download about 22,000 document abstracts from DuPont's Electronic Data Library (EDL) system and to view approximately 16,700 full-text PDF files.

The EDL server hosts DuPont's primary databases for storing confidential information. A large portion of the material that Min downloaded had nothing to do with his primary areas of research, according to the court records. Instead, the documents involved most of DuPont's major product lines, including some emerging technologies that were still in the research and development stage, the court filings said.

Min's illegal activities were discovered only after he announced his plans to leave DuPont. An internal investigation by the company uncovered his unusually high usage of the EDL server, showing that he had accessed about 15 times more data than the next-highest user of system.

DuPont then contacted the FBI and the U.S. Department of Commerce, which launched a joint investigation of Min's activities. By the time he was arrested in February 2006, Min had downloaded an additional 180 DuPont documents, including some containing trade secrets, to a Victrex-owned laptop PC.

After DuPont contacted Victrex officials about those downloads, the U.K.-based company seized the laptop it had given to Min and handed the system over to the FBI. A subsequent raid of Min's home in Ohio uncovered several more computers containing confidential DuPont information, as well as evidence that Min had tried to destroy other company documents by burning or shredding them.

IT security analysts and vendors have pointed to the case as a classic example of the kind of havoc that can be wrought by rogue insiders if care isn't taken to mitigate the security threats they can pose.

Michael Maloof, chief technology officer at TriGeo Network Security Inc. in Post Falls, Idaho, said via e-mail that sentences like the one handed out to Min "should give pause to employees and contractors considering data theft." But Maloof also predicted that the number of criminal prosecutions of rogue insiders will continue to increase, "now that companies are implementing new 'watchdog' systems for risky employee behavior."

Such systems can give businesses and law enforcement authorities the means to collect and analyze the evidence needed to prosecute insiders who abuse their system privileges, Maloof said.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon