Welcome to 2026 with the traditional SearchInform Information Security Digest.

We’ve compiled insider-driven incidents from December–January that stood out the most to us. In this edition: an insider tries to cover their tracks, bank employees collaborate with cybercriminals, and a tech giant ends up in court over “a business that exists only on paper.”

No Expiration Date

What happened: South Korean prosecutors charged former Samsung employees with leaking proprietary DRAM manufacturing technology.

How it happened: Shortly after its founding in 2016, DRAM manufacturer ChangXin Memory Technologies (CXMT) recruited several employees from Samsung Electronics. These former staff members had been directly involved in developing Samsung’s breakthrough 10-nanometer DRAM process. Samsung was the first company in the world to achieve this milestone, investing approximately KRW 1.6 trillion into the technology.

As a result, CXMT became the first company in China and the fourth globally to mass-produce 10-nm-class DRAM, rapidly capturing nearly 15% of the global memory market.

Almost ten years later, in January 2024, South Korean prosecutors uncovered evidence of a leak involving Samsung’s core DRAM technologies and launched an investigation. The probe revealed that former Samsung employees had been systematically transferring proprietary know-how to CXMT. In one example, an employee manually rewrote roughly 600 stages of the manufacturing process onto 12 sheets of paper, believing this would help him evade Samsung’s information security controls unlike copying files to a USB drive or photographing them with a smartphone.

Investigators believe the group used shell companies to avoid detection and relied on strong cryptographic communications to conceal their activities. These precautions ultimately failed. In December 2025, prosecutors formally charged five former Samsung employees.

The exact penalties are yet to be determined, but given that the stolen data falls under highly protected information and, in some cases, may even qualify as state secrets the consequences are expected to be severe.

Covering Their Tracks

What happened: A former employee of a South Korean company accused of data theft attempted to destroy evidence, using an unconventional approach.

How it happened: At the end of 2025, South Korean e-commerce giant Coupang detected unauthorized access to its infrastructure. Attackers obtained names, phone numbers, email addresses, and other personal data of 33.7 million customers. Financial information, such as credit card numbers, was not compromised.

Coupang confirmed the breach, reported it to law enforcement, and launched a joint investigation with Mandiant, Palo Alto Networks, and Ernst & Young. Within two weeks, investigators identified a suspect, obtained testimony, correlated it with forensic evidence, and reconstructed a detailed incident timeline.

The perpetrator turned out to be a former Coupang employee. After leaving the company, he retained an internal security key, which allowed him to access data belonging to millions of customers. However, he reportedly downloaded data from only 3,000 accounts to his personal devices and claimed he never shared the information with third parties.

When media coverage of the breach intensified, the insider panicked and attempted to eliminate evidence. He deleted data from his personal PC and MacBook. The laptop, however, received special treatment: he smashed it, placed it in a bag along with bricks, and threw it into a nearby river.

The extra precautions didn’t help. When police questioned him, he confessed and handed over the remaining hard drives from his PC. Investigators found the attack script on those drives, and the iCloud serial number of the submerged laptop matched the serial number associated with the suspect’s account.

Although only 3,000 accounts were directly affected, Coupang announced it would issue gift coupons to all 33.7 million customers as compensation. According to the company’s estimates, this gesture will cost over KRW 1.5 trillion.

Full Disclosure

What happened: A U.S. government agency accidentally exposed data belonging to 700,000 citizens.

How it happened: In late 2025, the Illinois Department of Human Services (IDHS) identified a data leak caused by misconfigured website privacy settings. The exposed resources included internal planning maps – datasets used by the agency to allocate resources and make policy decisions.

More than 32,000 planning records were publicly accessible between 2021 and 2025. These contained names, addresses, medical case numbers, case statuses, and other sensitive information. An additional 600,000 records, containing addresses, demographic data, and the names of healthcare assistance programs provided by IDHS, were publicly available from 2022 through 2025.

Access to the data has since been restricted. However, the website did not log access events, making it impossible to determine whether unauthorized parties actually viewed or downloaded the information.

In accordance with legal requirements, IDHS notified regulators and published a disclosure notice on its website on January 2.

The Weakest Link

What happened: Employees of Indian banks assisted cybercriminals in laundering money.

How it happened: Globally, cybercriminals rely on money mules to launder illicit funds. In India, the scheme evolved further: fraudsters began directly recruiting bank employees to create fraudulent accounts.

On December 24, 2025, India’s Central Bureau of Investigation (CBI) uncovered such a case and arrested two suspects. Using personal data from internal banking systems, the employees created fake accounts and used them to process transactions required by criminal groups. They also helped attackers bypass anti-fraud controls.

For example, anti-fraud systems typically flag attempts to open accounts using another person’s documents. Bank policy strictly prohibits this. However, some employees ignored system warnings and opened accounts without the account holder’s physical presence or proper identity verification.

The CBI is still assessing the scale of the scheme and identifying the organizers behind it. Authorities believe this is not an isolated incident. The number of bank employees involved and the volume of funds laundered remain under investigation.

I Can Do That Too

What happened: The U.S. government accused a former Google employee of stealing AI trade secrets.

How it happened: In March 2024, U.S. authorities arrested a former Google employee on suspicion of trade secret theft. Software engineer Linwei Ding joined Google in 2019. Prosecutors allege that between May 2022 and May 2023, Ding copied at least 105 documents containing information about Google’s advanced AI technologies.

According to the indictment, he copied fragments of internal documentation from his corporate laptop into a note-taking application, converted them into PDFs, and uploaded them to his personal cloud storage.

It also emerged that in 2022, Ding secretly became Chief Technology Officer of a Chinese company, Rongshu, and in spring 2023 founded his own AI startup. During investor presentations, he claimed to have experience working with Google’s AI platform and stated he could replicate and enhance it. Shortly after Google discovered this side activity, the company terminated his employment and revoked his network access.

Nearly two years after the arrest, the case finally reached court. On January 12, 2026, the defense delivered its first statement. Ding’s attorney confirmed that he had indeed taken extensive personal notes, but argued that prosecutors lack proof the information qualifies as protected trade secrets. According to the defense, the prosecution’s case rests solely on suspicions that the notes were linked to a business venture in China – one that, as they put it, “exists only on paper.”

The defense also argued that if the copied information was truly protected, Google failed to take reasonable information security measures. Ding used a company-issued laptop for both work and note-taking, and during more than four years of employment, he allegedly received no security violation notices from Google’s infosec team.

The case is still unfolding. If convicted, Ding faces up to 15 years in prison and fines of $5 million per violation related to corporate espionage.

Game Over

What happened: Two major multiplayer shooters fell victim to cyberattacks.

How it happened: In December 2025 and January 2026, two similar information security incidents hit the gaming industry, affecting Rainbow Six Siege (R6) and Apex Legends.

In late 2025, attackers gained access to R6 servers and caused widespread disruption: they randomly banned and unbanned players, interfered with moderation tools, and granted all users 2 billion units of premium in-game currency.

On December 27, developers confirmed the breach and temporarily shut down the servers. The game returned online two days later. Ubisoft was less enthusiastic about the “Robin Hood” distribution of currency and rolled back most purchases made using it.

In the case of Apex Legends, attackers couldn’t ban players or distribute free currency. Instead, they remotely hijacked player characters and forced them to walk off the edge of the map. Developers patched the issue the next day and blamed cheaters.

However, the gaming community suspects the incident was more serious. Some hijacked characters had their usernames changed to “RSPN Admin”, suggesting that someone may have obtained administrative privileges on a debug or internal server.