Federal authorities have charged a senior Equifax executive with insider trading for allegedly selling almost $1 million worth of company stock 10 days before officials disclosed a website hack that exposed sensitive information for more than 143 million US consumers.
Jun Ying was CIO of Equifax’s United States Information Systems business unit in the months leading up to Equifax’s bombshell announcement on September 7 that the breach exposed Social Security numbers, birth dates, and other sensitive data for as many as 143 million people. According to a complaint filed Wednesday by the US Securities and Exchange Commission, Ying’s first indication his employer had been breached came on August 25 when he and colleagues received an email alerting them to a “very large breach opportunity” that would require additional capacity from IT systems to process. To keep the Equifax breach confidential, the email and subsequent discussions didn’t name Equifax as the victim and instead suggested it involved an Equifax client.
Putting 2 and 2 together
Ying only needed a few hours, however, to suspect his employer was the one that had been breached, prosecutors said. At 5:27 that afternoon, after speaking privately with the CIO of the main Equifax company, Ying allegedly sent a text message to one of his employees that read: “On the phone with [global CIO]. Sounds bad. We may be the one breached… Starting to put 2 and 2 together.”
Over the next few hours, Ying allegedly received numerous additional indications that Equifax was the company hit by the breach he and his team were responding to. By that point, it was a Friday evening, and security markets were closed.
The following Monday morning, Ying performed a series of telling Web searches. One query, prosecutors said, was “Experian breach.” Another, allegedly, was “Experian stock price 9/15/2015,” and a third was “Experian breach 2015.” Prosecutors said Ying performed the searches to understand a September 2015 breach of Experian—which, along with Equifax, is one of the three major credit bureaus—and the effect the breach had on Experian’s stock price. Ying’s browsing history shows that he received results showing Experian’s stock price fell four percent following news of the breach, which was smaller than the one that had hit Equifax.
Less than an hour after the searches, Ying allegedly accessed his company-sponsored stock plan and exercised all of his vested options to buy Equifax shares. He then allegedly sold those Equifax shares for total proceeds of more than $950,000. Equifax publicly disclosed the breach after the market closed on September 7. On September 8, Equifax shares closed down 14 percent from the prior day’s close. By selling the shares before the breach was publicly disclosed, the executive avoided more than $117,000 in losses that would have resulted had he not sold until after the news of the breach became public, prosecutors alleged.
“These securities transactions were made on the basis of material nonpublic information and breached the duty of trust and confidence that Ying owed to Equifax and its shareholders,” prosecutors wrote in Wednesday’s complaint. “Ying knew or was reckless in not knowing that the information that Equifax itself was the victim of a major cybersecurity breach was material and nonpublic, and Ying used that information when making these securities transactions.”
Prosecutors with the Justice Department filed a criminal indictment against Ying that makes similar allegations.
On September 15, Ying received an offer to become the Equifax CIO, following the resignation of the then-current CIO. Equifax officials later withdrew the offer after learning of the stock sales. In a statement published Wednesday, Equifax officials wrote:
Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company, and reported our findings to government authorities. We are fully cooperating with the DOJ and the SEC and will continue to do so.
We take corporate governance and compliance very seriously and will not tolerate violations of our policies.
In the months following the breach disclosure, Equifax revealed that the hack of its website resulted from the failure to install a two-month-old patch fixing a critical Web-application bug. Since disclosing the breach, Equifax has repeatedly increased its estimate of the number of people affected by the breach, with the most recent upward revision coming on March 1. The current estimate stands at about 148 million people. In October, the Equifax website was caught redirecting visitors to sites offering maliciously faked Flash updates.
The allegation that one of Equifax’s top executives used his inside knowledge of the hack to avoid a $117,000 stock loss is only the latest insult to the public. In February, the SEC published a formal statement that officially codified something that any competent executive should have known long ago: cybersecurity risks and issues are material events that are subject to insider-trading laws.