JHL Biotech’s theft of Genentech data holds lessons for infosec

On the surface, the case of Racho Jordanov, CEO of JHL Biotech (Eden Biologics), and COO Rose Lin seemed like another case of corporate espionage. They targeted a technology they needed and then set out to acquire the technology. For many years they were successfully stealing Genentech’s secrets.  

That is until the spigot was turned off with the 2018 indictment of Xanthe Lam and Allen Lam, wife and husband, who with others were collectively indicted in October 2018 for the theft of Genentech’s trade secrets. Xanthe Lam was a principal scientist at Genentech, where she worked from 1986 until 2017. Allen Lam, her husband, worked in quality control at the company from 1989 to 1998.

The duo pleaded guilty in August 2021 to having “obtained and possessed confidential proprietary and trade secret information from Genentech” between 2011 and 2019.

Five years of insider theft

The guilty plea entered by the Lams indicated how the couple conjured up their pipeline of secrets. Their cooperation was solicited by Jordanov and Lin. Allen Lam went to work for JHL in 2013 as a consultant and his wife Xanthe continued to work at Genentech. The conduit is not hard to sleuth out: She passed Genetech’s secrets to her husband who transferred them to JHL. She wasn’t just sharing her secrets with her husband; she shared the contents of her Genentech company laptop with JHL when she visited Taiwan and quietly visited JHL’s facilities over the course of four weeks.

Indeed, she was all-in, as she was part of the interview team for a John Chan, a family friend who was hired by JHL to work on formulation development and to whom, via Allen, Xanthe’s stolen information was provided. She remotely supervised Chan’s work at JHL from May 2014 through September 2016.

Her access within Genentech was JHL’s access. Xanthe recommended a former Genentech employee to be hired as an “engineering manager” by JHL. Upon hire, Xanthe provided to the manager, James Quach, her login credentials to access the secured databases of Genentech. Predictably, Quach downloaded documents of interest through July and August 2017.

The court document highlights, through her “employment termination in the fall of 2017, she continued to download and provided Genentech proprietary information to JHL.”  The Lams have not yet been sentenced.

The Senior U.S. District Judge Hon. William Alsup, of the Northern District of California in mid-March 2022 sentenced the former CEO and COO of JHL Biotech to 12 months and one day in prison, to be followed by a period of supervised release as punishment for the theft of trade secrets from Genentech and wire fraud to the tune of $101 million. 

Genentech’s civil case

Genentech sued JHL in October 2018 and the case closed out in December 2021, Genentech was given relief and in theory, their trade secrets are protected from use by the individuals who stole the information and those who used it at JHL. The individual defendants are prohibited from working on specific areas of research for varying periods of time, with some running through late 2028 and others of shorter duration (unless both parties agree on the avenue of research).

Ethical dilemmas around intellectual property

One of the key issues upon hire that every entity must engage with a new hire is to ensure they are not introducing the intellectual property of another entity into your entity, either purposefully or accidentally.

Clearly, there was no ethical dilemma encountered within the JHL corporate culture regarding the infusion of the intellectual property of others to advance the corporate plans, intentions, and goals given the guilty pleas of the CEO and COO. That said, what of the individual employees who weren’t part of the greater conspiracy? What path did they have when they discovered the company’s research had its roots in Genentech’s information? The view from a distance tells us the employee could vote with their feet and inform law enforcement and the company whose data was stolen, Genentech.

Infosec lessons from the JHL/Genentech case

Similarly, for Genentech to learn that one of their principal scientists was sharing significant amounts of their intellectual property with others over the period of many years must have been a surprise. No doubt the information security teams were engaged in months of damage assessment in 2018.

Questions galore no doubt percolated to the top. One of import would appear to be how the company laptop issued to Xanthe Lam and accessed in Taiwan during her four-week visit to JHL didn’t register as an anomaly. (Perhaps her logins were not anomalous events with the use of a VPN?) Another question: Was her own harvesting of information over the years or the use of her login credentials to the sensitive databases viewed as anomalous?

The indictment of the Lams indicates that the Genentech infosec team had login files and access to emails that apparently served to tell the tale of the theft and for which the multi-count criminal indictment was based.

Genentech trusted their employees and these employees broke that trust. Once Genentech knew what was what, they apparently brought in law enforcement, allowed the criminal course to be set, and then entered into civil action to protect their intellectual property.

Companies would be well served to invest in information security and the attendant information protection policies, procedures, and mechanisms to protect against the threat posed by a malevolent insider. Otherwise, they, like Genentech, will find themselves investing in being a cooperative witness in the prosecution of corporate espionage and then chasing their intellectual property through the legal system.