How an Israeli cybersecurity company tracked the employee who stole its code

  • An ex-employee of Israel's NSO Group was indicted last week for stealing the company's code.
  • NSO had been tracking the thief using an internal loss prevention system.
A woman uses her iPhone in front of the building housing the Israeli NSO group.
Jack Guez | AFP | Getty Images
A woman uses her iPhone in front of the building housing the Israeli NSO group.

Late last week, Israel's state attorney's office indicted a former employee of cybersecurity company NSO Group for reportedly stealing source code tied to a software product that's sold as a surveillance tool for government clients.

The NSO ex-employee, who hasn't been identified because of privacy laws in Israel, tried to sell the stolen code to competitors for $50 million in cryptocurrency, but a prospective buyer alerted the company, the indictment said.

CNBC has learned from people familiar with the matter that NSO previously became aware of a possible theft via an internal data loss prevention system. Authorities received the code to NSO's Pegasus software before it could be sold, said the people, who asked not to be named because the investigation is ongoing.

NSO, which has connections to the Israeli military, is best known for its proprietary software that can be used to break encryption on smartphones. The incident illustrates how difficult it can be, even for companies that specialize in security, to adequately deal with employees who become insider threats.

Stealing trade secrets

Stealing source code and selling it illegally or taking it to another company is a familiar story.

Waymo sued Uber over the theft of trade secrets by a former employee. Uber settled the disagreement early this year, giving Waymo an equity stake worth $245 million and promising not to use Waymo's proprietary information.

In 2009, a former Goldman Sachs programmer allegedly took valuable high-speed trading source code, before being fired, arrested and prosecuted. The incident has gone through numerous twists in federal and state courts, and the programmer, Sergey Aleynikov, recently lost an appeal in the case.

The current case involving the NSO Group is unique in that the stolen code was built by security experts. NSO software is used for surveillance, primarily by government clients, and can be used to break through security measures on devices like iPhones that belong to their targets. The software is heavily monitored by the Israeli government, which regulates who buys it and how it's used, according to the people familiar with the technology.

The alleged thief is a 38-year-old ex-employee who took the Pegasus source code after becoming disgruntled over being asked to take part in a formal job review, according to the indictment. Israeli companies are required to do such reviews before firing an employee.

After its data loss prevention system notified NSO of the potential theft, the company kept track of the rogue employee, knowing he had downloaded sensitive information, the people said. Uncertain of his intentions, the company alerted possible buyers in the industry that he might try to sell it, they said.

One of those industry insiders was contacted by the ex-employee and informed NSO, the people said. NSO tracked the negotiations between the buyer and the seller and, working with Israeli authorities, was able to establish that the activity was criminal, they said.

Acquisition in the works

The indictment comes just as NSO is reportedly an acquisition target. The Wall Street Journal reported in May that Verint Systems, a U.S. security company with offices in Herzliya, Israel, has been in talks to buy NSO for $1 billion, and a person familiar with the negotiations said other firms have also expressed interest in buying the company. All potential parties have been briefed on the details of the theft, the person said.

A Verint representative didn't respond to a request for comment.