Former Equifax executive sent behind bars for insider trades, profiting on data breach

An opportunity to cash in on the data breach was seized, with prison as a consequence.
Written by Charlie Osborne, Contributing Writer

A former Chief Information Officer (CIO) of Equifax has been issued a prison sentence for insider trading on the firm's disastrous data breach before the incident became public knowledge. 

Jun Ying served as the CIO of the credit rating agency's US Information Solutions arm at the time a 2017 data breach resulted in the exposure and theft of information belonging to roughly 145 million US citizens. 

Consumer data including names, Social Security numbers, dates of birth, home addresses, and partial driving license details were exposed. 

An Apache Struts vulnerability present in Equifax systems -- despite a patch being made available two months prior -- was blamed for the breach. 

See also: Cirque du Soleil app gives attackers same admin rights as operators

The data breach not only hammered the firm's reputation but has also cost Equifax hundreds of millions of dollars in damage control, legal fees, and court battles, resulting in a cut Moody's outlook from stable to negative in recent months. 

At the time of the incident, however, Ying appeared to only be concerned about protecting his own interests. 

After receiving a tip in his role as a CIO that a potential data breach had taken place, Ying began researching the potential impact the public disclosure of the cyberattack may have on the Equifax share price. 

CNET: Facebook again fails to block DC attorney general's lawsuit

After examining how rival company Experian suffered after a 2015 data breach, two days after the discovery of the incident, Ying exercised his stock options and received a total of 6,815 shares. 

The 44-year-old executive then sold all of his stock, resulting in payment of over $950,000. According to US prosecutors, the insider trading benefited Ying to the tune of over $480,000 and circumvented a loss of over $117,000. 

Several weeks later, Equifax publicly admitted to the data breach and the firm's share price plummeted. 

Ying pleaded guilty to insider trading and was sentenced to four months in prison with a year of supervised release. In addition, the former CIO was fined $55,000 and ordered to pay $117,117 in restitution.

TechRepublic: How to set up multi-factor authentication for an IAM user in AWS

"Ying thought of his own financial gain before the millions of people exposed in this data breach even knew they were victims," said US Attorney Byung Pak. "He abused the trust placed in him and the senior position he held to profit from inside information." 

The executive is the second former Equifax employee to be charged after trying to cash in on the data breach. An ex-manager, Sudhakar Reddy Bonthu, pleaded guilty to insider trading in July following similar allegations of selling stock ahead of the breach's public disclosure. 

Bonthu was sentenced to eight months of home confinement and was both fined $50,000 and ordered to forfeit $75,979. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards