A former Equifax CIO has been charged with insider trading leading up to the 2017 breach.
The US Securities and Exchange Commission on Wednesday charged Jun Ying, former CIO of an Equifax business unit that was called on for breach remediation and next in line to be the company’s global CIO, with using confidential information to conclude that it wasn’t just Equifax customers who’d suffered a serious breach.
Rather, as the SEC’s complaint describes, Ying correctly surmised that it was Equifax itself that had sprung an enormous leak, writing this in a text message:
On the phone with [global CIO]. Sounds bad. We may be the one breached. . . . Starting to put 2 and 2 together.
Putting 2 and 2 together led to a lot more than 4, the SEC alleges: it led to Ying avoiding the loss of a good chunk of the proceeds he made from unloading what would soon become less valuable stock.
That oil leak of a breach spread out to affect 145.5 million Americans, 15.2 million Brits, and some 100,000 Canadians: victims whose personal data, including tax payer ID, home addresses, the respective drivers’ license states, dates of issuance or expiration dates, and more were exposed.
Equifax’s subsequent investigation continues apace, uncovering yet more victims: Equifax came across another 2.4 million Americans who were affected, the data monger disclosed earlier this month.
The SEC alleges that before any of this became public, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, he would have lost more than $117,000 if he’d waited until after the public disclosure of the breach to sell his stocks.
The SEC’s announcement quoted Richard R. Best, Director of the SEC’s Atlanta Regional Office:
As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public. Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.
Ying is also facing parallel criminal charges from the Attorney’s Office for the Northern District of Georgia.
The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.
Will Ying be the only Equifax exec to face stock-dumping charges? As it is, three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach but before it was disclosed.
Equifax has said that those three hadn’t been informed of the breach before they sold their stock. Still, plenty of people have smelled plenty more than just one rat. It could turn out that Ying is just the first to face the music.
Bryan
Preaching-To-The-Choir Comment, Take One:
I’ll be the first to admit that it’d be extremely difficult to retain stocks I knew were about to tank. But dangit… the guy made nearly a million bucks in ten minutes and “only” avoided losing $117,000.
Even without a crystal ball to know precisely how much his profit gain would suffer, this wasn’t the sharpest move–despite that he surmised at the time he was being clever–has he never heard of Martha Stewart?
I’d bet good money that insider trading only works when no one will ever hear about your huge, profit-dumping faux pas–as opposed to millions of people up in arms over a breach–and I expect his losses now exceed a mere twelve percent of that cool mil.
Jun, even without your IT ties to the potential for having prevented this, serves ya right dude.
other sophos guy
See? Kingpin levels of criminal stuff. I told you someone or some people were going to show that they were doing something they weren’t supposed to.
So when the next breach of a company happens and no one can get a answer as to why their network security was whack, you’ll know to see if someone is trying some underhanded stuff.