A former product engineer at Ford Motor Co. has been charged with stealing sensitive design documents from the auto maker worth millions of dollars.
Xiang Dong Yu, of Beijing, also known as Mike Yu, was arrested Wednesday at Chicago's O'Hare International Airport upon his entry into the U.S. from China where he is working with a Ford rival.
Yu, 47, was charged with theft of trade secrets, attempted theft of trade secrets and unauthorized access to protected computers. Each of the theft-related charges carries a maximum of 10 years in prison and a fine of up to $250,000. Yu faces a maximum of five years and $250,000 in fine on the charge of accessing a protected computer. The arrest was announced by Terrence Berg, U.S. attorney for the Eastern District of Michigan.
According to the indictment papers, Yu was employed at Ford between 1997 and 2007. In his role as a product engineer at Ford, Yu had access to trade secrets contained in Ford system design specification documents. The documents contained detailed information on performance requirements and associated testing processes for numerous major components in Ford vehicles.
The documents are created and maintained by subject matter experts at Ford and are used by Ford design engineers when building new vehicles and by suppliers providing parts to the company. According to the indictment papers, Ford has spent "millions of dollars and decades on research, developing and testing" to create the requirements in the system design documents.
In June 2005, Yu is alleged to have traveled to China in an attempt to find a job in the automotive industry. Before leaving on the trip, Yu is alleged to have downloaded several system design specification documents, including those unrelated to his work, onto an external hard drive which he took with him to China.
Yu resumed his job search in August 2006 and was offered a job with electronic and automobile component manufacturer Foxconn, PCE Industry Inc. in November of that year. A few days after Yu accepted the job in December 2006, he is alleged to have downloaded more than 4,000 Ford documents to a hard drive. The documents included information on Ford's engine and transmission mounting subsystem, electrical distribution system, front and rear side door structure, steering wheel assembly and instrument panel and console subsystem.
Later that same month Yu left to work at Foxconn, PCE's facility in Shenzhen, China, with the stolen Ford documents in his possession. Yu did not inform Ford about his new job until January 2007. Slightly more than a year later, Yu apparently attempted to use the stolen trade secrets when applying for a new job with an automotive company in China. When those efforts proved unsuccessful, he accepted another job offer at Beijing Automotive Co., which was described in court documents as a Ford rival.
It is not clear from the indictment papers how authorities learned about Yu's attempts to use the stolen information in his job search in China. It is not apparent, for instance, whether the companies that Yu applied to for jobs, informed Ford. The court papers also mention that Ford's security controls included "marking" sensitive documents. It's also not clear whether any of companies where Yu worked used any of the information that Yu allegedly had stolen.
A call requesting comment from the U.S. Attorney's office for the Eastern District of Michigan was not immediately returned.
The incident is similar to other trade-secret thefts involving users with privileged access to corporate systems and data. Earlier this month, Hong Meng, a former research scientist at DuPont USA was indicted on charges related to the theft of trade secrets. Meng is alleged to have downloaded sensitive trade secrets pertaining to DuPont's new, thin-computer display technology called "organic light emitting diode" or OLED. The company charged Meng with attempting to profit from the information by using it to commercialize OLED products in China in conjunction with Peking University in Beijing.
In 2007, Gary Min, another former scientist at DuPont admitted to stealing an estimated $400 million worth of proprietary company information . He is serving an 18-month sentence in federal prison .
Brian Cleary, vice president of marketing at security vendor Aveksa said the incident is another reminder of why companies need to implement a "governance framework" for managing, monitoring and logging all access and activity involving sensitive data. Companies should be implementing risk-based access controls to sensitive data where the focus should be on understanding what an individual's role is and then making sure that individual only has access to the specific information needed for the job.