In September 2017, Equifax went public about a massive data breach that saw hackers steal information about 143 million US consumers – including names, addresses, social security numbers, and dates of birth. Later, the company confirmed that a further 15.2 million Brits also had their personal data breached.
Equifax became the butt of many jokes, as well as the target of some anger, when it was revealed that the company had waited 40 days before announcing it had been hacked, and that its IT team had known about the vulnerability exploited by the hackers as far back as March 2017, but for some reason failed to patch at-risk systems.
So, just what was Equifax doing during those 40 days between discovering it had been hacked and sharing the bad news with the world?
Well, now we know. Or at least we know what Jun Ying, the CIO of Equifax US Information Solutions, was doing.
Ying, who was next in line to be Equifax’s global CIO, realised that Equifax had suffered a security breach and used that confidential information – before the company’s public disclosure – to exercise all of his vested Equifax stock options, selling the shares for nearly US $1 million.
He would have sold them for a lot less if he had waited until details of the data breach had been shared with the rest of the world, says the Department of Justice:
“On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on “sounds bad. We may be the one breached.” The following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.”
Ying has been sentenced to four months in a federal prison, ordered to pay more than US $117,000 in restitution, and fined $55,000.
Extraordinarily, he wasn’t the only person to be convicted for insider trading in the wake of the Equifax breach.
Last year, Sudhakar Reddy Bonthu, a production development manager in Equifax’s software management team, sentenced and fined after using a sharing trading account in his wife’s name to buy ‘put options’ that correctly predicted the company’s stock price would drop by mid-September 2017.
Bonthu deduced that the project he had been given of building a breach disclosure website was not, as his bosses had told him, for one of Equifax’s clients but instead for Equifax itself.