The former chief information officer of Equifax’s U.S. business dumped nearly $1 million in company stock after learning of the massive data breach at the credit reporting agency, but before the breach was disclosed to the public, the Securities and Exchange Commission and Department of Justice said Wednesday.
The SEC and DOJ announced Wednesday that each agency is charging Jun Ying, the former chief information officer of Equifax’s U.S. Information Solutions business, with insider trading.
According to the agencies, Ying became aware of the breach more than a week before it was publicly announced and used that knowledge to exercise all of his available stock options to buy Equifax shares and immediately sold them.
The total proceeds of Ying’s stock sales was more than $950,000, and he realized a gain of more than $480,000 on the trades.
According to the SEC, by selling his stock before the breach was disclosed, Ying avoided more than $117,000 in losses that he would have suffered when the company’s stock tanked after the breach became public.
This isn’t the first time that an Equifax exec was accused of insider trading after the data breach that exposed the personal information of nearly 148 million U.S. consumers to hackers.
In the wake of the breach first being exposed, questions were raised about the stock trades of four company executives – John Gamble, chief financial officer; Joseph Loughran, president, U.S. information solutions; Rodolfo Ploder, president, workforce solutions; and Douglas Brandberg, senior vice president, investor relations.
Those executives made the trades of company stock in the period between when the breach took place and when Equifax disclosed it to the public.
A company investigation later found that none of the four execs were aware of the data breach when the made the trades in question, but that doesn’t appear to be the case with Ying’s trades.
According to the SEC, Ying’s position in the company and the information passed to him allowed Ying to deduce that the company was the victim of a data breach in late August, over a week before the breach was disclosed to the public.
Ying was the chief information officer of the company’s U.S. business, and was actually the leading candidate to replace Dave Webb as the global chief information officer after Webb “retired” in the immediate aftermath of the breach.
That role ended up going to Mark Rohrwasser, who was appointed interim chief information officer. Rohrwasser joined Equifax in 2016 and previously led Equifax's international IT operations.
According to the SEC, Ying was actually offered the job when Webb retired but the offer was pulled after the company’s senior executives learned of Ying’s questionable trades.
Following an internal Equifax investigation into Ying’s trading, the company concluded that he violated the company’s insider trading policy and that his employment should be terminated, the SEC said At the conclusion of that investigation, Ying agreed to resign.
In a statement released Wednesday, Equifax confirmed the sequence of events and said that it is “fully cooperating” with the DOJ and the SEC.
“Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities,” Equifax said in its statement.
“We are fully cooperating with the DOJ and the SEC, and will continue to do so,” the company added. “We take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”
The SEC complaint provides a full blow-by-blow of how the company first learned of the breach, what it did in the aftermath, how Ying allegedly came to know of the breach, and what he supposedly did after.
According to the SEC, Equifax set up two internal teams in the wake of the breach’s discovery.
One team, codenamed “Project Sierra” dealt with the breach investigation. That team was kept quiet and the breach’s existence was not communicated to the vast majority of the company’s employees.
At the same time, another team, called “Project Sparta” was formed to deal with notification and remediation plan for the millions of consumers affected by the breach, although those Equifax employees were not aware at the time that the breach in question had happened at Equifax.
The Project Sparta team was told that that they were working for an unnamed client that had experienced a large data breach.
Ying was a member of Project Sparta.
On Friday, Aug. 25, 2017, Ying and some other members of the Project Sparta team were notified that the company’s Global Consumer Solutions business unit was working on a “’VERY large breach opportunity’ that required a dramatic increase in the capacity of the relevant technology systems, and that this was ‘an extremely time sensitive request,’” the SEC said.
After being notified, Ying allegedly raised concerns about the nature of the project and the deadline and was instructed to call David Webb, the global CIO, about his concerns.
Later that day, Ying called Webb, who told Ying that he was expected to comply with the requests. “The global CIO also told Ying that, at that time, Ying did not need to know why he had to comply, but that at some point, Ying would understand what was happening,” the SEC said.
After that call, Ying texted with a direct report employee and said that he believed that Equifax may be the one that was actually breached, writing: “Sounds bad. We may be the one breached. . . . Starting to put 2 and 2 together.”
The following Monday, Aug. 28, 2017, Ying allegedly began searching the internet for information about the 2015 data breach at Experian and how that breach affected the company’s stock price.
“Ying’s internet browsing history indicates that Ying reviewed market data showing that Experian’s stock price dropped approximately four percent after the public announcement of the breach,” the SEC said.
“By no later than 10:00 a.m. on August 28, 2017, based on nonpublic information entrusted to him by his employer, Equifax, Ying had concluded that Equifax itself was the victim of a major cybersecurity breach, despite the statements made as part of Project Sparta asserting that it was a business opportunity for an unnamed client,” the SEC said.
At that point, Ying allegedly took that information and began making the trades in question.
According to the SEC, Ying held 6,815 vested options, which he continued to hold until Aug. 28, 2017.
The SEC alleges that within an hour of running the internet searches regarding the Experian breach, Ying accessed his company-sponsored stock plan account with UBS Financial Services, exercised all of his vested options to buy Equifax shares, and then immediately sold those Equifax shares for total proceeds of more than $950,000.
Two days later, Ying was officially notified of the breach by company executives but did not tell anyone that he had exercised and sold all of his vested Equifax options just two days before.
The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.
“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard Best, Director of the SEC’s Atlanta Regional Office. “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”
The U.S. Attorney’s Office for the Northern District of Georgia also announced Wednesday that Ying had been indicted for insider trading but did not detail the number of charges that Ying is facing.
According to the U.S. Attorney’s Office, Ying will be arraigned on the charges later this week.
“This defendant took advantage of his position as Equifax’s USIS Chief Information Officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” said U.S. Attorney Byung Pak. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner.”