Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading

SEC said engineer figured out on his own that the website he was building was for the company's security breach.
Written by Catalin Cimpanu, Contributor

A former Equifax engineer who coded parts of the company's breach notification website for last year's security incident was sentenced this week to eight months of home confinement and restitution of ill-gotten funds after using insider information about the Equifax breach to make over $75,000 from insider trading.

The sentence was passed down yesterday by an Atlanta judge to a man named Sudhakar Reddy Bonthu, 44, of Cumming, Georgia.

The US Securities and Exchange Commission (SEC) charged Bonthu in June. He pleaded guilty a month later.

According to court documents, Bonthu was one of the engineers who worked on coding the equifaxsecurity2017.com website where Equifax sent customers to see if they were affected by last year's security breach during which a hacker stole the personal details of over 145 million users.

More specifically he created "an online user interface into which users could input information to determine whether they had been impacted by the breach."

At the time he was tasked with creating this interface, he was working at Equifax as Production Development Manager of Software Engineering in Equifax's Global Consumer Solutions (GCS) business unit. His regular job involved creating software for Equifax's internal use, but also for Equifax customers.

In August 2017, Equifax managers told Bonthu he had been recruited to work on an internal project named Project Sparta. Managers didn't provide Bonthu with details about the project, but they said the company was handling a security breach for a high priority client that was going public with news of a breach the next month, in September 2017.

Bonthu was ordered to create the online interface through which that company's customers would be able to query a database and see if they were affected.

The SEC said in an indictment that Bonthu realized on his own --based on test data and discussions on internal mailing lists-- that the secretive Project Spart client was, in reality, his employer.

The SEC said that Bonthu abused this information and used his wife's brokerage account to buy 86 "put options" in Equifax stock worth $2,166.11. Bonthu's stock options would come through if Equifax's stock had gone below $130 per share by September 15.

As expected, Equifax stock plummeted after the company disclosed its breach on September 7, 2017, and stock price reached $123.23 on September 15, netting Bonthu $77,333.79 (profit of $75,167.68), a 3,500 percent increase on his investment.

Bonthu's transactions came to light after Equifax started internal investigations into several reported cases of employee insider trading.

The company fired Bonthu in March 2018 after he refused to cooperate with their investigation. He previously worked at Equifax since September 2003.

Bonthu was sentenced yesterday for his crime. The judge also imposed a fine of $50,000. As part of his SEC settlement, he must also forfeit $75,979, the ill-gotten funds, plus interest.

Bonthu was the second Equifax employee charged for insider trading after the SEC charged former Equifax executive Jun Ying in March. Ying's case is still ongoing.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

Editorial standards