A former Equifax CIO has been charged with insider trading leading up to the 2017 breach.
The US Securities and Exchange Commission on Wednesday charged Jun Ying, former CIO of an Equifax business unit that was called on for breach remediation and next in line to be the company’s global CIO, with using confidential information to conclude that it wasn’t just Equifax customers who’d suffered a serious breach.
Rather, as the SEC’s complaint describes, Ying correctly surmised that it was Equifax itself that had sprung an enormous leak, writing this in a text message:
On the phone with [global CIO]. Sounds bad. We may be the one breached. . . . Starting to put 2 and 2 together.
Putting 2 and 2 together led to a lot more than 4, the SEC alleges: it led to Ying avoiding the loss of a good chunk of the proceeds he made from unloading what would soon become less valuable stock.
That oil leak of a breach spread out to affect 145.5 million Americans, 15.2 million Brits, and some 100,000 Canadians: victims whose personal data, including tax payer ID, home addresses, the respective drivers’ license states, dates of issuance or expiration dates, and more were exposed.
Equifax’s subsequent investigation continues apace, uncovering yet more victims: Equifax came across another 2.4 million Americans who were affected, the data monger disclosed earlier this month.
The SEC alleges that before any of this became public, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, he would have lost more than $117,000 if he’d waited until after the public disclosure of the breach to sell his stocks.
The SEC’s announcement quoted Richard R. Best, Director of the SEC’s Atlanta Regional Office:
As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public. Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.
Ying is also facing parallel criminal charges from the Attorney’s Office for the Northern District of Georgia.
The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.
Will Ying be the only Equifax exec to face stock-dumping charges? As it is, three Equifax senior executives sold shares worth almost $1.8m in the days after the company discovered the breach but before it was disclosed.
Equifax has said that those three hadn’t been informed of the breach before they sold their stock. Still, plenty of people have smelled plenty more than just one rat. It could turn out that Ying is just the first to face the music.