DoJ – Former CIO knew of breach and opted to excise his stock options before breach became public
The US Department of Justice has issued a very clear warning to company executives who try to exploit financial gain out of data security breaches.
Jun Ying, the former Chief Information Officer CIO of credit checking specialist Equifax US Information Solutions, has been sentenced to four months in a federal prison for insider trading.
It comes after an investigation into the highly damaging breach of Equifax back in September 2017. That breach resulted in the theft of the data belonging to 143 million US consumers (and 15.2 million British citizens). Data stolen included names, addresses, social security numbers, and dates of birth.
What made the Equifax breach so damaging, was that the firm had discovered the breach back in July 2017 but waited 40 days before telling the world.
Even worse, Equifax’s IT team had known about the about the vulnerability exploited by the hackers as far back as March 2017, after a security researcher had warned the firm about its vulnerability to a cyberattack months before it actually suffered the breach.
This meant that there were personnel within Equifax’s senior management that knew of the breach long before the firm publicly declared the security incident.
The US Department of Justice said that Equifax CIO Jun Ying, had access to sensitive information that led him to conclude that Equifax was the victim of the data breach before it was made public.
“On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on ‘sounds bad. We may be the one breached.’” said the DoJ.
It said that the following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price.
“Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold,” said the DoJ. “He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.”
“Ying thought of his own financial gain before the millions of people exposed in this data breach even knew they were victims,” said US Attorney Byung J. Pak. “He abused the trust placed in him and the senior position he held to profit from inside information.”
“If company insiders don’t follow the rules that govern all investors, they will face the consequences for their actions,” said Chris Hacker, Special Agent in Charge of FBI Atlanta.
“Otherwise the public’s trust in the stock market will erode,” said Hacker. “The FBI will do everything in its power to stop anyone who takes unfair advantage of their insider knowledge.”
Jun Ying, 44, of Atlanta, Georgia, was sentenced to four months in prison to be followed by one year of supervised release.
He was also ordered to pay restitution in the amount of $117,117, and fined $55,000.
It should be noted that Ying is the second Equifax employee found guilty of insider trading relating to the data breach, following Sudhakar Reddy Bonthu, a former manager at Equifax, who pleaded guilty on July 23, 2018.
The fallout from the 2017 Equifax breach triggered multiple investigations across the world, and the credit monitoring firm was hauled up before the US Congress, where former CEO (he had resigned over the matter) Richard Smith faced a serious grilling from US Senators.
Do you know all about security? Try our quiz!