DOJ Indicts Former Google Engineer for Stealing AI Trade Secrets

This week, the US Department of Justice arrested a former Google software engineer for stealing over 500 confidential files containing artificial intelligence trade secrets. For UK SMEs, the indictment is a stark reminder that the most severe threat to your proprietary data often sits on your own payroll. The engineer allegedly bypassed security simply by copying files into a personal Google Cloud account.

DOJ indicts former Google engineer for AI theft

On Wednesday, a federal grand jury charged 38-year-old Linwei Ding with four counts of trade secret theft, according to the US Department of Justice. Ding, who joined Google in 2019, allegedly transferred sensitive information about the company's supercomputing data centres and AI models to his personal accounts.

The indictment reveals that Ding began uploading the files in May 2022. He copied over 500 confidential documents while secretly affiliating himself with two technology companies based in the People's Republic of China. To avoid detection, he allegedly copied data from Google source files into the Apple Notes application on his company-issued MacBook, then converted them to PDF files before uploading them to a separate network.

According to NPR, Ding booked a one-way ticket to Beijing shortly before resigning in December 2023. While the geopolitical implications are dominating the headlines, the operational details of how the data left the building are what business owners need to examine.

The quiet risk of internal access

Most coverage of this indictment focuses on the geopolitical angle and the race for AI supremacy. But for a 50-person UK business, the real takeaway is the mundane mechanism of the theft.

Ding didn't use sophisticated hacking tools or zero-day exploits. He used his authorised access as an employee, a company-issued MacBook, and a personal cloud account. By simply copying text into Apple Notes and saving it as a PDF, he bypassed Google's data loss prevention systems for a year.

If it can happen to Google's supercomputing division, it can happen to your customer relationship management system. UK SMEs often over-index on external perimeter defence, buying expensive firewalls and running anti-phishing simulations, while ignoring internal access controls. The uncomfortable truth is that your biggest data security risk is likely a trusted employee with unrestricted export rights.

I see too many growing companies hand out global admin rights to new hires on day one. When your sales team can freely download your entire client database to a personal device, or your engineers can clone your proprietary codebase to a private GitHub repository, you're completely exposed. You don't need to be building AI supercomputers to have data worth stealing.

Three things to check

You don't need an enterprise security budget to close these gaps. Start with the tools you already pay for.

1. Audit your offboarding protocol. When an employee hands in their notice, their ability to bulk-export data should be revoked immediately. Check your Google Workspace or Microsoft 365 logs for unusual download volumes in the 30 days prior to resignation.
2. Restrict personal cloud access. Use your mobile device management software to block access to personal Google Drive, Dropbox, or iCloud accounts on company-owned laptops.
3. Enforce least-privilege access. Review who actually needs export rights in your CRM and code repositories. If a junior account manager only needs to view 50 client records a week, they shouldn't have a button that downloads all 5,000.