I have stood in enough crisis war rooms to know the first question after a cyber incident. It is always the same. "When do we get back up?" Nobody has ever asked me what just left the building.
That second question should keep a quality director awake. Downtime has an endpoint. Exfiltration does not.
The breach that wasn't about downtime
Foxconn lost roughly 8 terabytes to the Nitrogen ransomware group — 11 million files pulled from their servers. The headlines fixated on production halts and encrypted systems. Wrong fixation. Nitrogen did not just lock the doors and demand a key. They copied the blueprints, walked out, and kept walking. When you restore from backups, the downtime ends in days or weeks. The files are still out there — permanently — in the hands of whoever paid for them or will pay next.
Manufacturing is the target. India's industrial base absorbed nearly 20% of ICS attacks in a single quarter. Apple's supply chain details surfaced after a supplier breach. The conversation is almost entirely about availability. Can the line run? Can the PLC talk to the SCADA system? Those matter. But they are the easy problem. The hard problem is that nobody in the quality function is in the room when these incidents are modelled.
What those 11 million files actually contain
I will be precise, because vague warnings bore me. A Tier 1 manufacturing file server does not hold office memos and birthday photos. It holds the institutional memory of how you make conforming parts.
PFMEAs documenting every failure mode your engineering team has identified — sometimes across decades. Control plans defining every measurement point, every frequency, every reaction rule. Supplier PPAP packages with full dimensional layouts, material certs, and capability studies from hundreds of sub-tier suppliers. Defect databases with years of 8D reports, containment actions, and root-cause analyses that cost millions in scrap and customer escalations to produce.
This is process IP. Competitive advantage compressed into files. And it left the building.
An encrypted server is a bad week. A stolen control plan is a permanent strategic wound.
The standards gap nobody talks about
Here is an uncomfortable observation. I have built my career around AS9100, IATF 16949, VDA 6.3, ISO 9001 — the full alphabet. I have led external audits to clean results, cut EASA findings by 50% in a single cycle. These standards are rigorous about documented information, retention, traceability, control of records. They say nothing — genuinely nothing — about what happens when that documented information is exfiltrated to an adversary who can read a control plan and understand what it means.
Every incident response plan I have reviewed stops at recovery. Can we restore? Can we rebuild? The assumption is that the data, once recovered, is still yours alone. That assumption died the day ransomware groups shifted from locking data to stealing it first and encrypting second. Double-extortion is not a footnote in a threat report. It is the operating procedure.
How I would classify my own quality records
I hold a CEH certification. I have spent time on the offensive side of security — responsible disclosure work, bug-bounty listings, the mechanics of how systems get compromised. I also run manufacturing engineering technical authority for Airbus in North America. Those two worlds collide daily, and the collision point is this: IT security policies classify documents by format and location. They do not classify them by strategic value. A PFMEA and a canteen menu sit in the same shared-drive bucket until someone bothers to separate them.
If I were building a classification scheme for quality records, I would start with the things that took years to learn. The process parameters behind the 97% internal lead-time reduction we achieved at Airbus through Routing Verification KPIs — those represent months of engineering iteration and failed approaches. A competitor who obtains them skips the learning curve entirely. Or take the QRQC playbooks, A3 templates, and Q-Wall structures I deployed at WITTE Automotive to drive down failure costs — those encode a problem-solving philosophy built over years, not weeks. At SNOP, where I built a greenfield QA/QC department for over 900 employees from a bare concrete floor, the architecture alone — inspection routing, supplier qualification matrices, the specific sequencing of defect-prevention layers — is a blueprint someone could lift and deploy in months instead of years.
Current IT security does not see any of this. DLP rules flag credit card numbers and national insurance identifiers. They do not flag a PFMEA for a proprietary assembly process. Access controls govern who can open a folder. They do not govern who can understand what is inside once it has left the network.
Key takeaways
- Map process IP before you lose it. Walk your file servers with a quality engineer, not just an IT administrator. Identify which records — PFMEAs, control plans, supplier evaluations, defect databases — would cause strategic damage if they reached a competitor.
- Tier your quality records by competitive sensitivity. Not every inspection report is critical. But the parameters behind your cycle-time improvements, your defect-reduction playbooks, and your supplier qualification architecture are. Classify accordingly.
- Segment access by role, not by department. A process engineer who needs a PFMEA does not need every supplier PPAP. Broad shared-drive access is the exfiltration pathway of choice. Restrict it.
- Pressure-test your incident response plan for exfiltration, not just recovery. If your tabletop exercise ends at "we restored from backup," run it again. Ask what was copied before encryption, where it went, and what competitive exposure remains after the line is running again.
The Foxconn breach will be remembered as a downtime story. It should be remembered as something else. Eleven million files walked out the door, and somewhere in that haul are process documents that took years of engineering judgment, supplier negotiation, and defect analysis to produce. The line will run again. The knowledge is already gone — and the competitor who buys it will never send a receipt. Build the classification before the post-mortem, because post-mortems assume the patient is still alive. In the cases that matter, the advantage is already dead.