Equifax CIO Put ‘2 and 2 Together’ Then Sold Stock, SEC SaysBy and
SEC, Justice Department say illicit sale followed cyberattack
Ying sold almost $1 million worth of stock, government says
The text from the Equifax Inc. executive sounded ominous: “We may be the one breached.”
Yet before the wider world learned of the credit bureau’s massive hack -- in which sensitive information for more than 140 million U.S. consumers had been compromised -- the executive, Jun Ying, was selling Equifax stock, federal authorities now say.
Six months after the cyberattack shook Equifax and raised questions about suspicious trading by several executives there, the Department of Justice on Wednesday charged Ying with insider trading. Prosecutors say he searched on the internet for what might happen to Equifax stock when the news of the attack broke, then exercised all of his stock options. The move netted him more than $480,000. Ying’s lawyers, Douglas I. Koff and Craig S. Warkol of Schulte Roth & Zabel, declined to comment on Ying’s behalf.
Wednesday’s announcement marks the first criminal charge brought in one of the largest data breaches in history. Ying, the former chief information officer for Equifax’s U.S. information-solutions business, used confidential information entrusted to him by the company to determine it had been hacked, according to a separate complaint filed by the Securities and Exchange Commission.
Equifax interim Chief Executive Officer Paulino do Rego Barros said in a statement Wednesday that the company reviewed Ying’s trading and, after concluding he violated the firm’s policies, reported its findings to government authorities. “We are fully cooperating with the DOJ and the SEC, and will continue to do so,” Barros said.
Ying, 42, lives in Atlanta and worked at Equifax from 2013 until last October. On Friday, Aug. 25, he received an email asking him to handle breach remediation for an internal project code-named Sparta. The email stated that Equifax’s global consumer-solutions business was working on a “VERY large breach opportunity” and that the request was “extremely time sensitive,” according to the SEC’s complaint.
Hours after receiving the initial email, Ying was invited to a mandatory conference call. While he didn’t initially join the call, one of his direct reports did, the SEC said. That person texted Ying that he’d been asked to help prepare the IT applications they oversaw to handle roughly 10 million customers. Ying then joined the conference call, initially resisting the requests to assist on the project.
When Ying talked privately with his supervisor, the manager’s message was cryptic: He told Ying he didn’t need to know why he had to comply with Project Sparta at that time, but at some point he would come to understand what was happening.
Ying then texted the direct report, according to the complaint. “Sounds bad. We may be the one breached,” he wrote. “Starting to put 2 and 2 together.”
The following Monday, he conducted web searches about the impact of Experian Plc’s 2015 data breach on its stock price, the agency found. Hours later, Ying exercised all of his available stock options, resulting in him receiving 6,815 shares of Equifax stock. He then sold the stock for more than $950,000.
The following week, Equifax disclosed the cyberattack. The hack has shaken confidence in the Atlanta-based company, which faces more than 240 class-action lawsuits and more than 60 regulatory or government inquiries.
For more on cybersecurity, check out the Decrypted podcast:
Equifax stock plunged in the days after the breach was disclosed. Ying, who was next in line to become the company’s global CIO, avoided more than $117,000 of losses by selling his shares, the SEC said.
In its complaint, the SEC said Equifax offered Ying the job of global CIO on Sept. 15. The company then rescinded the promotion after senior executives learned of his stock trading. Equifax concluded on Oct. 16 that Ying had violated the company’s insider-trading policy and that he should be terminated, prompting his resignation, the SEC said.
In September, Justice opened a criminal investigation into whether top officials at Equifax had violated insider trading laws before the breach was disclosed. Three Equifax Inc. senior executives -- Chief Financial Officer John Gamble, and unit presidents Joseph Loughran and Rodolfo Ploder -- sold shares worth almost $1.8 million in the days after the company discovered the breach. Equifax has said those three executives had not been informed of the incident when they initiated the sales.
Ying’s stock sale hadn’t been previously reported because he wasn’t a named executive officer.
— With assistance by Anders Melin