When we talk about cybersecurity, most people picture external attackers hammering away at firewalls or phishing employees to gain access. But some of the most damaging breaches come from inside. Trusted employees, contractors, or partners can misuse their access in ways that are far harder to detect. Nvidia’s recent trade secrets case is a vivid reminder of how insider threats can shake even the most advanced technology companies.
The Engineer Who Crossed the Line
The case revolved around Mohammad Moniruzzaman, a former engineer who had previously worked at Valeo, a French automotive technology company specializing in autonomous driving and advanced driver assistance systems. Moniruzzaman joined Nvidia in 2021, bringing with him deep expertise in autonomous driving software. But according to Valeo, he also brought something else: their proprietary source code.
During a 2022 video call, Valeo employees noticed something alarming. Moniruzzaman’s screen displayed Valeo’s confidential codebase. Screenshots captured during the call showed that he had imported Valeo’s trade secrets into Nvidia’s environment. This discovery set off alarms inside Valeo and eventually led to a lawsuit against Nvidia.
How the Data Was Taken
Unlike an external hack, this was a case of insider misuse. Moniruzzaman had legitimate access to Valeo’s code while employed there. When he left, he carried those files with him. German authorities later investigated and convicted him in 2023 for unlawful acquisition of trade secrets. Nvidia terminated him once the issue came to light, but by then the damage had already been done.
This is the essence of an insider threat: someone who does not need to break in because they already have the keys. Traditional perimeter defenses are useless against this type of misuse.
What Kind of Data Was Stolen
The stolen material was not trivial. It included source code for Valeo’s autonomous driving and parking assistance technology. This code represented years of research and development, millions of dollars in investment, and a critical competitive advantage in the race to dominate autonomous driving. For Nvidia, which has been aggressively expanding into automotive AI, the overlap was particularly sensitive.
Valeo alleged that Nvidia’s own autonomous driving code contained functionalities that mirrored its stolen code. Even if Nvidia did not knowingly integrate Valeo’s intellectual property, the presence of that code inside Nvidia’s environment raised serious legal and ethical questions.
Attempts to Use or Sell the Data
There is no evidence that Moniruzzaman tried to sell the stolen data to third parties. Instead, the intent appeared to be to use the code to benefit Nvidia’s projects. Valeo argued that Nvidia stood to gain commercially from the misappropriated technology, which could accelerate its own autonomous driving initiatives. That intent alone was enough to trigger legal action under the Defend Trade Secrets Act.
Legal Proceedings and Settlement
Valeo filed suit against Nvidia in California federal court in 2023. The judge ruled that there was enough circumstantial evidence to send the case to trial. Nvidia denied wrongdoing, insisting that it had acted responsibly once the issue was discovered. Still, the company faced reputational risk and the possibility of significant damages.
In late 2025, Nvidia reached a settlement with Valeo. The terms were not fully disclosed, but reports indicate that Nvidia agreed to compliance measures and to stop using any Valeo-derived code. The settlement avoided a lengthy trial but underscored the seriousness of insider theft in the tech industry.
Why This Was an Insider Threat
This case is a textbook example of an insider threat. Moniruzzaman did not hack into Valeo’s systems after leaving. He simply abused the trust and access granted to him while employed there. Insider threats are particularly dangerous because they bypass traditional defenses. Firewalls, intrusion detection systems, and endpoint security tools are designed to stop outsiders. They are far less effective against insiders who already have legitimate credentials.
Broader Implications for Corporate Security
The Nvidia case highlights several lessons for enterprises:
- Data loss prevention tools are essential. Companies need systems that monitor unusual file transfers, especially when employees are preparing to leave.
- Access controls should limit exposure. Not every engineer needs access to every piece of source code. Least privilege should be the default.
- Exit protocols must be rigorous. Companies should audit departing employees’ access and file activity to catch suspicious behavior before they walk out the door.
- Cultural awareness matters. Employees must understand that intellectual property is not just company property. It is the lifeblood of innovation and competitiveness.
For Nvidia, the case was a reputational challenge. For Valeo, it was a fight to protect its crown jewels. For the industry, it was a reminder that insider misuse can be as damaging as any external cyberattack.
The Human Side of Insider Threats
It is easy to demonize insiders who steal data. But cases like this also highlight the human dynamics at play. Engineers often move between companies, bringing expertise and experience with them. The line between knowledge gained through experience and proprietary information carried in files can be blurry. Companies must balance the free flow of talent with the need to protect intellectual property.
That balance is not easy. Overly restrictive policies can stifle innovation and frustrate employees. Too much trust can leave companies vulnerable. The Nvidia case shows that finding the right balance is not optional. It is a matter of survival in industries where intellectual property defines competitive advantage.
Conclusion
Nvidia’s trade secrets case is more than a legal dispute. It is a cautionary tale about the risks posed by insiders. Moniruzzaman’s misuse of Valeo’s code was not a sophisticated hack. It was a simple act of carrying files from one employer to another. Yet the consequences were enormous.
For cybersecurity professionals, the lesson is clear: insider threats are real, costly, and often invisible until it is too late. Companies must invest in tools, processes, and culture to detect and prevent them. Because in the end, the most dangerous attacker may already be inside.
Leave a Reply