Intel’s Insider Threat: How One Engineer Walked Away with 18,000 ‘Top Secret’ Files

When we think of data breaches, our minds often jump to sophisticated hackers, phishing campaigns, or ransomware groups operating from the shadows. 

But as Intel’s recent insider data theft case proves, some of the most damaging breaches don’t come from sneaky hackers in hoodies - they come from the trusted employees with authorized access you interact with every day.

In mid-2024, Intel revealed that a recently laid-off software engineer had allegedly exfiltrated thousands of “Top Secret” files before disappearing. 

It’s a scenario that feels alarmingly familiar across industries: a departing employee, lingering access, and critical intellectual property suddenly leaving the building.

​​Intel’s incident offers a timely reminder that insider threats aren’t rare anomalies - they’re predictable events in times of organizational change. 

The key question for every security leader is not if this could happen in their organization, but how well-prepared they are to detect and prevent it.

What Happened at Intel?

According to court filings and media reports, Intel has filed a $250,000 lawsuit against a former employee, Jinfeng Luo, alleging theft of roughly 18,000 confidential files, some marked “Intel Top Secret.” 

Luo, who joined Intel in 2014, received a termination notice in July 2024 amid the company’s large-scale lay-offs.

Intel’s internal systems first detected attempts by Luo to transfer files from his company-issued laptop to an external drive about a week before his departure - an attempt that was blocked by existing protections. However, just days later, Luo reportedly found a workaround: transferring sensitive data to a personal NAS (network-attached storage) device.

Over several days, he allegedly downloaded tens of thousands of files, including proprietary software, source code, and confidential project data.

Intel discovered the breach shortly afterward, but was unable to reach Luo by phone, email, or postal mail. After months of unresponsiveness, the company escalated the issue through legal channels, seeking both damages and the return of its data.

This is not an isolated case for Intel. In a prior incident, another ex-employee illegally copied information before leaving the company, and used that confidential data to secure a position at Microsoft! 

These repeated patterns illustrate three critical truths: 

1. Even global enterprises with ‘advanced’ cybersecurity infrastructure remain vulnerable to insider misuse during sensitive periods like layoffs and restructuring.
2. This could happen to ANY company, ANY where, ANY time - nobody is immune.
3. This case is relatable for everyone; even if you’re not at the enterprise level - layoffs happen, employees leave, trusted staffers take jobs with competitors…

Bottom line? Know where your data is, understand what’s being done with it, and stop risky activity before it turns into headlines or legal trouble.

How Insider Data Exfiltration Happens

The Intel case highlights a classic pattern of insider risk that many organizations face today. These incidents often follow a predictable sequence:

Access + motive + opportunity = a recipe for disaster

→ A trusted employee with legitimate access becomes disengaged, disgruntled, or opportunistic, particularly around times of departure.

No context = no chance

→ Security tools may flag activity or alert that a risky event has happened, but lack the behavioral context to distinguish between normal data movement and malicious exfiltration. Context is everything here, yet most security solutions don’t offer this - especially when dealing with legacy or endpoint DLP products.

Delayed response, too late…

→ By the time the activity is noticed, reviewed, or investigated by security teams, the insider is often gone, and sensitive data is already outside company control. 

Even with endpoint protection and DLP tools in place, organizations frequently struggle to connect behavioral signals in time to act. A surge in downloads, unusual file access patterns, or large-volume transfers may appear benign in isolation - but together, they paint a clear picture of risk.

The hard truth? Traditional security models built around perimeter defense and access control aren’t designed for employees and insiders with legitimate credentials. Preventing incidents like Intel’s requires not just monitoring data, but understanding user intent and context in real time.

The Real Cost of Insider Threats

When an insider walks out with sensitive data, the damage extends far beyond the immediate loss. It’s not just about the number of files stolen - it’s about what those files represent: intellectual property, trade secrets, source code, customer information, and years of competitive advantage.

In Intel’s case, those 18,000 files could include blueprints of future products, proprietary processes, or confidential partner agreements. Even if the data never surfaces publicly, the risk of exposure forces companies to divert resources into forensics, litigation, and reputation management.

Research consistently shows that insider incidents cost organizations millions in legal fees, response efforts, and lost productivity. 

Sure, this can be ‘cleaned up’ and paid away…but the intangible costs - eroded customer trust, employee morale, and brand credibility - can linger for years.

The real cost of a data breach is more than millions, it's everything.

Intel isn't an isolated incident. Just two weeks ago, former employees at Palantir were reported to have sent company data to their personal Slack accounts from their corporate account, and later leveraged it to build a competitor company. This resulted in:

• Over $1M in legal expenses defending IP rights and enforcing NDAs. 
• Loss of 10+ key employees, costing another $1.5M in replacement and training.
• Potential 5-10% drop in business due to lost trust - upwards of $50M in revenue exposure.

Perhaps most frustrating for security leaders is the preventability of these incidents. Insider exfiltration rarely happens without warning. 

There are almost always signs - sudden spikes in file downloads, mass access to previously untouched folders, or unauthorized external sharing activity. 

The problem is that many organizations lack the visibility and automation to connect these dots quickly enough to intervene.

Then boom - by the time the deed is done - it's too late. That data is gone forever, and so is your brand’s good reputation.

How to Prevent Insider Threat Incidents 

The Intel incident sheds light on a painful truth: traditional security tools - think endpoint protection, firewalls, and access policies - aren’t built to stop legitimate users from taking legitimate actions with malicious intent.

What’s needed is a context-aware layer of control that understands how users interact with data across SaaS and cloud applications.

That’s exactly where DoControl comes in.

DoControl provides automated, real-time controls that detect and stop insider data exfiltration BEFORE it happens. If a departing employee like Luo had attempted to mass-download sensitive files, DoControl would have:

• Identified anomalous activity immediately - using context from HRIS, IdP, and our proprietary DLP engine, our platform would have recognized deviations from the user’s typical behavior and flagged it as risky.
• Delivered instant visibility to the security team, highlighting what data was accessed, when, and where it was moved.
• Automated policy enforcement - our automated workflows would've kicked into gear and remediated the action: whether by restricting large-scale downloads, blocking external sharing, or suspending risky accounts.

Where traditional DLP tools focus on data at rest or in transit, DoControl operates in the dynamic SaaS layer - where most sensitive collaboration now occurs. It connects user behavior, data context, and automated response to prevent exactly the type of event Intel experienced.

In other words: if a company like Intel had DoControl in place, those 18,000 “Top Secret” files would have never left the company’s environment.

Key Takeaways for Security Leaders

The Intel incident is a brutal reminder that insider risk is not a hypothetical threat - it’s an everyday reality for modern enterprises. .

Insider incidents aren’t random. They follow patterns.

When layoffs happen (and they do, across every industry), the risk for data exfiltration spikes. Employees often start moving files in the days or weeks leading up to their departure - sometimes intentionally, sometimes not. Either way, the impact can be the same.

Here are the top three things security teams need to remember:

1. Insider incidents follow patterns.

Departing employees often take data with them - whether it’s “just in case” or with intent. If your company is going through layoffs, reorganizations, or transitions, you need to pay attention.

2. Traditional controls don’t go far enough.

Endpoint protection and access management only see part of the picture. They can’t tell you how users are interacting with data across SaaS apps - where most sensitive information actually lives. Context on user behavior, file activity, and data movement is essential.

3. Visibility and automation are critical.

Manual investigations can’t keep up when data can be exfiltrated in minutes. You need an automated, always-on approach that detects risky behavior and takes action before damage occurs.

This is where DoControl steps in.

We give security teams the real-time visibility, context, and automation needed to stop insider threats before they escalate.

With DoControl, you can:

• Detect abnormal behavior across SaaS apps before it becomes a data loss event.
  
  
• Enforce granular policies that prevent unauthorized downloads, sharing, or external access.
  
  
• Automate security workflows to remove the manual effort (and stress) from insider risk management.
  
  
• Maintain full auditability for compliance, investigation, and reporting.
  

Whether it’s a departing engineer syncing IP to a personal NAS, an employee sending company data to their personal Gmail, or sensitive files being overshared in Slack - DoControl helps you see, understand, and stop data exfiltration before it becomes a headline.

What should you do then? 

If recent events have you rethinking your insider risk strategy, start with a few simple questions:

• Do we actually know who has access to what - and why?
  
  
• Can we detect abnormal data movement across our SaaS apps in real time?
  
  
• Do we have automation in place to respond before a ‘risk’ turns into an incident?

If any of those answers are “I don’t know” or “not really,” it’s time to modernize your insider risk posture - and rethink your approach.

Source: https://www.tomshardware.com/tech-industry/cyber-security/laid-off-intel-employee-allegedly-steals-top-secret-files-goes-on-the-run-ex-engineer-downloaded-18-000-files-before-disappearing 

{{cta-1}}