Governance , Incident & Breach Response , Insider Threat
Prosecutors Say Jun Ying Sold Stock Before Data Breach Was Made Public(@Ferguson_Writes) • June 28, 2019A former Equifax CIO who sold his stock in the company after learning about its 2017 data breach several months before the public and government agencies were informed has been sentenced to serve four months in federal prison for insider trading.
See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
Jun Ying, 44, who worked as the CIO of Equifax U.S. Information Solutions, pleaded guilty to charges of insider trading in March. He was sentenced Thursday to four months in federal prison and ordered to pay more than $117,000 in restitution and fined $55,000, according to the U.S. Attorney's Office for the Northern District of Georgia, which oversaw the case along with the Securities and Exchange Commission and the FBI.
Ying is the second Equifax executive to plead guilty to insider trading charges stemming from the 2017 data breach. In July 2018, Sudhakar Reddy Bonthu, a former manager at Equifax, pleaded guilty to similar charges and received eight months of home confinement, federal prosecutors said.
The 2017 Equifax breach exposed the personal information of 148 million Americans as well as data on Canadian and U.K. citizens. The incident has spawned several investigations of the company, which found that Equifax's failure to patch a vulnerability in the Apache Struts open source web application framework allowed attackers to find their way into the network and steal personal data (see: Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Over the course of the last two years, the data breach has cost Atlanta-based Equifax $1.4 billion, which includes overhauling its information security program.
Inside Knowledge
In his role as one of several CIOs within Equifax, Ying had knowledge of the data breach, which was discovered in the summer of 2017, prosecutors say. At the time, the company kept the incident secret from the public, but a few key executives knew that the attackers had infiltrated the network and stole customers' names, Social Security numbers, birth dates, addresses and other personal identifiable information, according to prosecutors.
As the scope of the breach became more apparent, Ying texted a co-worker on Aug. 25, 2017 and wrote: "Sounds bad. We may be the one breached," U.S. attorneys say.
A few days later, Ying began researching the effects a 2015 data breach at Experian had on that company's stock prices, according to prosecutors. After that, Ying sold all 6,815 shares of Equifax stock that he had accumulated over the years for a total of $950,000, prosecutors found.
By selling the stock at that time, Ying received a gain of $480,00, avoiding a loss of $117,000, according to prosecutors. On Sept. 7, 2017, Equifax announced the data breach and the company watched its stock price plummet as a result.
In the aftermath of the insider trading of Ying, Bonthu and others, the SEC updated its rules and guidelines in 2018 regarding when and how companies need to report cybersecurity intrusions and other incidents to the public and shareholders.
Additionally, these types of security incidents are now considered nonpublic insider information if they are not announced to the public, according to the SEC. This means that the information may not be used in management decisions about buying or selling stock in the company, according to the new rules.
"Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," according to an SEC statement.
Ongoing Fallout
While the Equifax data breach happened almost two years ago, the investigations and government reports about the incident continue.
For instance, a report recently released the U.S. Senate Permanent Subcommittee on Investigation found that Equifax failed to follow its own cybersecurity policies, including those prescribing how and when to patch critical software vulnerabilities (see: Congressional Report Rips Equifax for Weak Security).
Company executives also did not prioritize security, and many key decisions were left to lower-level IT employees, the Senate report found.
The Equifax incident has also become a political issue. Democratic presidential hopeful Sen. Elizabeth Warren, D-Mass., along with Rep. Elijah Cummings, D-Md., commissioned a Government Accountability Office report, which recommended that if the government wants to do more to protect consumers, the U.S. Federal Trade Commission should have the ability to impose greater civil penalties against consumer reporting agencies, including Equifax (see: GAO: Equifax-Like Breaches Require Greater Civil Penalties).
Warren also has introduced legislation that would pave the way for top executives at major corporations to face criminal charges if their company's wrongdoing leads to harm, such as a major data breach (see: Sen. Warren Wants CEOs Jailed After Big Breaches).