Apple sues OpenAI over alleged theft of hardware trade secrets
- Evelyn Carter

- 1 day ago
- 4 min read
On July 10, 2026, Apple filed a lawsuit against OpenAI, io Products, and two former Apple employees in the U.S. District Court for the Northern District of California. Case No. 5:26-cv-07078 alleges the misappropriation of trade secrets involving hardware, manufacturing processes, and supply-chain information. These remain Apple’s allegations and have not been confirmed by the court. No specific CVE is associated with the case.
The lawsuit reflects more than growing competition between two major technology companies. Apple’s complaint describes a familiar set of enterprise risks: corporate devices that were not returned, access rights that allegedly remained active after employment ended, data transferred to personal accounts, and confidential information potentially exposed during recruitment.
OpenAI has denied having any interest in another company’s trade secrets and said it is reviewing the complaint. Because the proceedings are still at an early stage, the conduct described below should be treated as allegations made by Apple rather than established findings.

What has Apple accused OpenAI and its former employees of doing?
Apple alleges that Chang Liu and Tang Yew Tan took or used confidential information to support OpenAI’s hardware development activities. The complaint also claims that OpenAI and io Products benefited from Apple’s internal knowledge, supplier relationships, and proprietary data.
Defendant | Apple’s main allegations | Verification status |
Chang Liu | Allegedly failed to return an Apple-issued laptop, used an authentication flaw to retain access to internal storage, downloaded dozens of confidential hardware files, and advised a colleague on avoiding security detection | Not yet determined by the court |
Tang Yew Tan | Allegedly transferred supplier information outside Apple, used internal project codes and terminology during recruitment, and asked candidates to bring components or design materials to interviews | Not yet determined by the court |
OpenAI and io Products | Allegedly structured recruitment and supplier engagement in ways that enabled access to confidential knowledge and accelerated OpenAI’s hardware program | OpenAI denies seeking Apple’s trade secrets |
What internal control weaknesses does the case highlight?
Regardless of the lawsuit’s eventual outcome, the scenario described by Apple shows why companies cannot rely only on employee confidentiality agreements. Effective data protection requires coordinated controls across identity, endpoints, information governance, monitoring, legal processes, and human resources.
Weaknesses that commonly enable similar incidents include:
User accounts and active sessions remaining available after an employee leaves.
Laptops, mobile devices, and physical authentication keys not being collected.
Confidential files being transferable to personal email or messaging platforms.
No alerting for unusual or high-volume document downloads.
Recruitment processes that do not clearly limit what candidates may disclose.
Suppliers failing to verify authorization before sharing proprietary information.
Data Loss Prevention, or DLP, can help identify and restrict attempts to copy, upload, send, or transfer sensitive information outside approved environments.
For organizations using artificial intelligence tools, policies should also specify what employees are permitted to enter into external AI systems. Data classification, access controls, and approval processes are essential when confidential information may be exposed through generative AI platforms.
What should businesses do immediately?
Organizations should review both recently departed employees and accounts displaying unusual download or transfer activity. Any investigation should preserve evidence and comply with employment law, privacy requirements, and internal legal procedures.
Priority action checklist:
Compile a list of employees who left the company or changed roles within the past 90 days.
Verify the status of each person’s accounts, tokens, VPN access, code repositories, and storage permissions.
Confirm that laptops, mobile devices, access cards, and hardware security keys have been returned.
Search for bulk downloads, outbound email transfers, USB copying, and uploads to personal cloud applications.
Force sign-outs, revoke tokens, and rotate shared credentials when employment ends.
Apply DLP controls based on classifications such as Public, Internal, Confidential, and Restricted.
Prohibit candidates from bringing documents, prototypes, or data belonging to former employers into interviews.
Require suppliers to validate authorization through an independent channel before sharing proprietary processes or designs.
What does the IPSIP expert perspective indicate?
It is too early to establish the root cause of the Apple–OpenAI dispute. However, similar incidents are often enabled by inconsistent offboarding, residual access rights, insufficient endpoint controls, and limited behavior-based monitoring.
Vietnamese businesses should treat employee offboarding as a security process rather than a purely administrative task. HR, direct managers, IT, legal, and cybersecurity teams should follow the same checklist, with clear ownership and documented completion.
Which IPSIP Vietnam's solutions are relevant?
Microsoft Intune Mobile Device Management is suitable for organizations that need to inventory devices, enforce security policies, revoke corporate access, or remove company data from managed endpoints. MDM does not replace DLP or security monitoring, but it can reduce risks associated with unreturned or unmanaged devices.
SOC 24/7 is relevant when organizations need centralized monitoring of identity, endpoint, server, and cloud logs to detect unusual access or data-transfer behavior.
Security awareness training can be tailored for HR teams, hiring managers, and technical staff, with a focus on trade-secret protection, confidentiality obligations, and acceptable information-sharing during recruitment.

FAQ
Is Apple suing OpenAI over a security vulnerability or data theft?
Apple’s lawsuit primarily concerns alleged trade-secret misappropriation and contractual violations. An authentication flaw is only one part of the allegations involving Chang Liu and is not the sole basis of the case.
Has OpenAI been found guilty of stealing Apple’s secrets?
No. The complaint presents Apple’s claims and supporting arguments. OpenAI has denied having any interest in another company’s trade secrets, and the court has not yet determined liability.
Can DLP completely prevent insider data leakage?
No. DLP can detect and restrict many data-transfer channels, but it must be combined with identity governance, MDM, least privilege, log monitoring, employee training, and a reliable offboarding process.
References
https://apnews.com/article/apple-openai-lawsuit-trade-secrets-theft-6fff8833f5889d86406b89a02dd8fb16









Comments