IP Theft by Data Breach – Solving the Trillion Dollar Problem

The financial impact of Intellectual Property (IP) theft can be devastating.  Both to an individual company and to the broader industry it represents.  IP can constitute a significant portion of a single organization’s value – as much as 80% in some cases.  Such high value IP assets naturally make an irresistible target for threat actors.  Particularly those employed by state sponsors engaged in direct and combative struggles against American industries for global economic and military supremacy.

While IP theft is often perpetrated outside of the digital space (think disgruntled employees stealing sensitive information to sell to a competitor), a huge volume of IP theft is now committed through data breach.  The digitization of virtually every industry in the world means that almost all business data is stored in digital information systems.  Whether in the cloud or on-premise, even the most secure and hardened information systems are routinely breached by social engineering attacks.  As such, vast quantities of IP representing hundreds of billions of dollars are being stolen on a frighteningly regular basis.

The Commission on the Theft of American Intellectual Property (the IP Commission) estimates losses to American business from the theft of IP ranges from $225 billion to $600 billion annually.   That is equivalent to between 1% and 5% of the entire GDP of the United States.  Losses could easily top $1 trillion in the current decade. 

The National Intellectual Property Rights Coordination Center (IPRCC) reports the volume of enforcement actions against IP theft has risen in response to the correlated increase in this type of criminal activity.  According to IPRCC in January 2024:

• Cases initiated against IP Theft are up 21%
• Criminal arrests are up 39%
• Indictments are up 99%
• Convictions are up 29%
• Seizure Incidents have seen a slight decline by 9%
• And finally, the total estimated cost from the theft of American intellectual property is estimated to have gone up from $ 822.3 million to 1.12 billion. An increase of 36%.

The threat posed by IP theft has only grown since Deloitte’s Emily Mossburg and J. Donald Fancher published “The Hidden Costs of an IP Breach” in 2016 wherein they noted:  

“Compared with more familiar cybercrimes such as the theft of credit card, consumer health, and other personally identifiable information (PII)—which regulations generally require be publicly reported—IP cyber theft has largely remained in the shadows. Most cases receive no widespread attention, perhaps because the impact to the public is less direct—and because, considering the potential brand and reputational damage, companies have little incentive to report or publicize such incidents. Plus, compared with PII breaches, IP theft has ramifications that are harder to grasp: fewer up-front, direct costs but potential impacts that might metastasize over months and years. Theft of PII might quickly cost customers, credit ratings, and brand reputation; losing IP could mean forfeiture of first-to-market advantage, loss of profitability, or—in the worst case—losing entire lines of business to competitors or counterfeiters.”

Emily Mossberg & J. Donald Fancher

Don’t allow the lifeblood of your enterprise – precious intellectual property – to be robbed from you and your employees.  Take steps now to overlay existing cyber security practices with robust external data privacy management solutions. 

This paper explores how unsecured external data and other data privacy vulnerabilities enable the different types of intellectual property theft.  It examines the consequences said thefts have on victimized organizations.  Then it addresses the burgeoning role of state sponsored threat actors in perpetrating IP before finally offering concrete actions organizations can and must take to ensure existing cyber security practices are complete from a data privacy and security standpoint.

Types of Intellectual Property Theft

There are four broad categories of IP theft an organization must guard against.  Each category definition will include a real-world example of a breach illustrating the threat.

1 – Unauthorized Copying and Distribution – This refers to reproducing copyrighted works, like books, music, films, and software, without permission. It also includes sharing or distributing these materials via file-sharing platforms or other online channels.

Threat actors don’t necessarily target music, books or film as potential targets when deciding which organizations to breach.  After all, hackers like an easy win and reproducing books and movies to resell doesn’t fit that mold.  However, the trillion dollar software market is a perennial target of threat actors because proprietary code, once stolen through unauthorized access to secure information systems, is something that can be easily sold to numerous buyers on the dark web.  Hundreds of millions are invested each year by software development companies into research and development in order to produce advances and innovations in numerous fields.  For an unscrupulous software company, it is much cheaper to simply purchase stolen code than it is to produce it.  Buying stolen code allows bad actors to quickly bring products to market in direct competition to the companies the code was stolen from.

Example: Hackers Breach Acer and Sell Stolen IP

The sixth largest PC manufacturer in the world, Acer Electronics, was victim of a data breach in February 2023.  Files containing more than 160 gigabytes of data were stolen in the breach. It has been reported that the hackers responsible for the breach are selling Acer’s confidential slides/presentations, technical manuals used by company staff, Windows Imaging Format files, multiple binaries, backend infrastructure information, confidential product documents, etc.

Given the exposure of sensitive proprietary information, Acer has a lot to lose, especially considering it was already targeted twice in 2021—first by the REvil ransomware group and then by the Desorden Group.

2 – Patent Infringement – This involves the unauthorized use, production, or sale of an invention that is protected by a patent. 

Intellectual property, particularly patent protection, is essential for the success of many U.S. businesses, regardless of their size. As the pursuit of patent protection intensifies, so does the frequency of data theft and other security breaches. Therefore, companies must understand if an invention remains patentable when the proprietary information behind it becomes exposed due to a data breach or cybersecurity failure. This question is relevant whether the breach is accidental or intentional and whether it is caused by an external party or an internal employee. The outcome is generally the same: patent rights are likely lost.

Example: Threat Actors Breach the US Patent and Trademark Office

While there is not a direct line between a data breach and an instance of patent infringement, it is clear that hackers view patent information as a high value target.  The attack on the USPTO disclosed it had exposed the PII of 14,000 patent applicants in an accidental data spill.  Not the result of malicious attacks, this exposure is nearly certain to result in the subsequent theft of patent applicants’ work product.  The kind of PII exposes is precisely what threat actors use to perpetrate phishing and other social engineering attacks.  Knowing that this leaked data is associated with potentially lucrative new products and business models, threat actors have great incentive to leverage this data to mount attacks on patent applicants.  And there are plenty of foreign manufacturers that would embrace stolen patents to beat the legitimate patent-holder to market with the new product.

3 – Trade Secret Misappropriation – This is the act of stealing confidential or proprietary business information for personal benefit or to gain an unfair edge over competitors.

Proprietary secrets have long been a precious commodity and susceptible to theft. In the digital era, however, a new avenue for stealing these secrets has emerged. Cybersecurity breaches are the newest avenue for theft of trade secrets, proprietary data, and other essential information, causing potentially devastating impacts on businesses of every size.  Hacking into secure systems, threat actors actively target trade secrets such as formulas, designs, processes, software code as well as strategic plans, market strategies, marketing data and more. Anything they can sell to competing interests seeking to gain competitive advantage.

Example:  Aerospace and defense industry giant, BAE Systems Applied Intelligence reported a successful—and rare—criminal attack on an unnamed U.S.-based hedge fund that cost the hedge fund millions of dollars over the two-month span of the attack.  According to global business law firm Orrick, “The hack began with a successful phishing email sent to a member of the hedge fund’s staff. Once the attack commenced, the hackers lifted information about what trades were being made and when they were being made, before sending the details of the trades to external servers. Additionally, the hackers added slight time delays to the hedge fund’s trades, which could have provided an outsider time to make the same trade, thus gaining a trading advantage.”

In another particularly damaging example, Nortel Networks, a Canadian telecommunications company was the target of a hacking operation initiated by state-sponsored actors. They infiltrated Nortel’s systems gaining access to sensitive information, including trade secrets and intellectual properties, for almost a decade. This significant data breach contributed to Nortel’s bankruptcy in 2009, underscoring the devastating impact of IP theft.

4 – Trademark Infringement – This occurs when an individual or entity uses a trademark, logo, or brand name without consent, typically to deceive consumers and profit from the resulting confusion.

Thankfully, this type of IP theft is not something commonly associated with data breaches or other forms of cybercrime.

Consequences of Intellectual Property Theft

Impact on Businesses – Intellectual property theft poses a major threat to businesses, particularly to small and medium-sized enterprises, as it undermines their profitability, competitiveness, and ability to innovate.

Economic Impact – The theft of intellectual property impacts not only individual companies but also the broader economy, leading to potential job losses, reduced tax revenue, and hindered economic growth.

Innovation Loss – Patents, trade secrets, and other intangible assets are vital for driving innovation across industries. When these assets are stolen or misused, it can discourage companies from investing in research and development.

State Sponsored Threat Actors Behind Data Breaches & IP Theft

The Office of the United States Trade Representative (USTR) has published the “2023 Special 301 Report,” an annual assessment that reflects the state of global intellectual property (IP) protection and enforcement. This report is an essential resource for U.S. policymakers, businesses, and IP rights holders, providing insights into countries that present substantial challenges to IP protection.

A central focus of the report is identifying trade partners that create issues for U.S. IP protections. This year’s priority list includes:

• Argentina
• Chile
• China
• India
• Indonesia
• Russia
• Venezuela

The report also names countries on a non-priority watch list, such as Egypt, Vietnam, Canada, Mexico, and Algeria. This watch list acts as a diplomatic prompt for these countries to strengthen their IP laws and enforcement, potentially opening the door for bilateral discussions and policy changes that could benefit both domestic and global stakeholders.

For purposes of this paper, the focus of this section will be on China.  While all the above-mentioned nations routinely engage in fielding cyber attacks against the United States and its economy, China is the most prolific.  This is largely because as the largest economy of all those on this list, China is best situated to leverage the fruits of stolen IP.  The Chinese manufacturing sector is ascendant in the global economy.  As is their technologies sector.  They are also making advances in matching the military might of the United States though they still trail the US by a significant margin.  This is why the theft of IP is an attractive strategy for them to truncate the timelines associated with development of both consumer technology and defense technology.

The FBI reported the estimated cost to the US economy of Chinese counterfeit goods, pirated software, and theft of trade secrets is between $225 billion and $600 billion.  The Coalition for a Prosperous America (CPA), a national non-profit organization representing exclusively domestic producers across many sectors and industries of the U.S. economy has called China the most prolific industrial espionage perpetrator in the world. 

CPA research director, Jeff Ferry says, “Industrial espionage has been going on for centuries, but experts agree China’s espionage campaign is on a different scale from anything we’ve seen in history.  It has been going on at least since the 1990s and there is no sign it is letting up. Targets include an incredibly broad range of US companies, embracing civilian as well as military technology, with a special focus on the telecom and Internet sector.”

The Cyfirma China IP Theft Report says, “Some of the most vulnerable industries to this campaign are those in information technology, advanced manufacturing (especially in semiconductors), aerospace, maritime, rail, high-tech shipping equipment, new-energy vehicles, biotech, and pharmaceutical products.”  Also from this report from threat intelligence firm Cyfirma is reporting on a much larger industrial strategy that China uses to displace companies from competitor countries.   Called “Made in China 2025” the Chinese plan has been revealed as an initiative to comprehensively upgrade Chinese industry by the Chinese Communist Party (CCP).

Created by the Ministry of Industry and Information Technology (MIIT), this plan is designed to emphasize quality over quantity, optimize the structure of Chinese industry and make it more efficient and integrated so that it can capture the larger-margin share of the value chain. The plan calls for a comprehensive industry overhaul but highlights 7 priority sectors:

• Advanced information technology automated machine tools & robotics
• Aerospace, maritime, rail and other high-tech shipping equipment
• New-energy vehicles
• Power equipment
• Agricultural equipment
• New materials
• Biotech and pharmaceutical products

Aggressive timetables for execution do not allow for the arduous and costly process of research, development and testing.  Instead, confirming other intelligence assessments, the CPA reports that the Chinese military employs officers whose jobs consist of hacking American companies full time – 24x7x365.  Their goal is to advance China’s economic and military advantage while simultaneously hobbling America’s leadership at home and abroad.

The same strategies used by independent threat actors/hackers – focusing on the social engineering attack surface – are heavily in use by the Chinese and other state sponsored threat actors.  What makes them even more dangerous however is the extensive financial and technological support of the Chinese government which provides access to the powerful AI and other technologies supercharging this already effective attack vector.

Crowdstrike’s 2024 Global Threat Report noted an especially frightening trend regarding Chinese efforts at infiltrating secure systems and stealing valuable IP.  The report notes, in 2023, China-nexus adversaries increasingly targeted third-party relationships in efforts to deploy malicious implants and gain initial access.  As data privacy experts have been warning, even those organizations with effective processes in place to cleanse their work forces’ unsecured external data from the internet are still vulnerable to data breaches propagated via third-party channels. 

Add Data Privacy Protection to Cyber Security and Protect IP

This emerging segment of information security – the external data privacy segment – is evolving as quickly as the cutting-edge threats emanating from the military and government intelligence agencies arrayed against western governments and enterprise.  In fact, the lines between hackers and state sponsored threat actors continue to vanish. 
[Read more on this subject in Privacy Bee for Business white paper:  The Blurring Lines Between State Sponsored Threat Actors and Cyber Criminals]  

However, awareness and adoption of external data privacy as the most important, emerging attack surface is lagging the expansion of efforts on the part of threat actors – both state sponsored and the criminal organizations emulating their strategies.

The reality is, most organizations attempting to stem this tide of AI-enabled social engineering being perfected by heavily resourced intelligence agencies are showing up to a gun fight armed with a knife. 

The good news is, there are immediate, highly cost-effective steps any organization can take to implement an effective defense against the arrayed forces of state-sponsored and organized criminal threat actors.  Privacy Bee for Business delivers a platform specially tailored to address the most pressing need facing information security leaders today – external data privacy protection, management and risk mitigation. 

The platform provides no-cost tools for Employee Risk Management, External Data Privacy Audits and Privacy Risk Assessments.  Taking these totally no-cost steps produces measurable data on existing risks and actionable strategies for plugging the vulnerabilities.   Privacy Bee for Business also delivers a proven-effective method for not only protecting the customer organization against bleeding edge hacking and data breach tactics, but also the ability to extend Vendor Risk Management functions covering third-party relationships, ensuring robust protection isn’t undermined at weak points.

For even more details on actionable steps every organization can take to protect their IP assets, read Privacy Bee for Business white paper: Industrial & Corporate Espionage – New Variants of an Old Problem and How to Protect Your IP.  Then reach out to speak with a Privacy Bee for Business expert on getting things set up for your organization.