Equifax Executive Knew About Breach, Sold Shares For Nearly US$1M

Jun Ying, the CIO of Equifax US Information Solutions, almost got away with it. Then the FBI stepped in ...

In September 2017, Equifax told the world about a massive data breach that saw hackers steal personal information of nearly 160 million customers worldwide. It turns out the company had waited 40 days to disclose information about the hack. In fact, the Equifax IT department knew as early as March 2017 about the vulnerability that was exploited by hackers and never patched the affected systems.

It was at some point during this time that Ying found out about the breach and sold his Equifax shares for nearly US$1 million. It was his chance to 'cut and run' before the news went public and the share price fell, according to a statement released by the Department of Justice:

"On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on “sounds bad. We may be the one breached.” The following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling."

US Attorney Byung J. 'BJay' Pak was scathing of Ying: "(He) thought of his own financial gain before the millions of people exposed in this data breach even knew they were victims. He abused the trust placed in him and the senior position he held to profit from inside information.”

Ying, 44, pleaded guilty to the charges and was convicted on March 7, 2019. He was sentenced to four months in prison to be followed by one year of supervised release, ordered to pay restitution in the amount of $117,117.61, and fined $55,000.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.