A former Equifax executive has been indicted on insider trading charges related to alleged sales of the company’s stock he made before Equifax announced a massive data breach that exposed the personal data of more than 140 million Americans.
Jun Ying, former chief information officer of an Equifax division known as U.S. Information Solutions, is accused of selling more than $950,000 in stock before the data breach was made public, according to a Wednesday news release from U.S. Attorney Byung “BJay” Pak’s office.
“This defendant took advantage of his position as Equifax’s USIS Chief Information Officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” Pak said in the release. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner.”
Douglas Koff and Craig Warkol, two attorneys for Ying at Schulte Roth & Zabel, declined to comment.
The release said Ying, 42, of Atlanta, will be arraigned this week. He was indicted Tuesday, the release said.
The breach led to the ousting of former CEO Rick Smith. The U.S. Attorney’s Office and FBI and a group of state attorneys general are investigating the breach and how it happened. The Securities and Exchange Commission also is investigating.
In a statement, Equifax Interim CEO Paulino Do Rego Barros, Jr., said “Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities.”
“We are fully cooperating with the DOJ and the SEC, and will continue to do so,” the CEO’s statement said. “We take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”
Though the breach led to outrage by many on Capitol Hill, little has been accomplished at the federal level in terms of consumer protection since the hacking.
The breach became public in September of last year, but its origins trace back to March 2017 when the U.S. Department of Homeland Security alerted Equifax of the need to patch a vital software application used on its websites and those of many major companies.
Smith, the former chairman and CEO, told Congress in October the alert was sent the next day via email to the Equifax personnel who oversee security of the application, known as Apache Struts. It’s Equifax’s policy that such security updates be made within 48 hours.
But in this case, it wasn’t.
That vulnerability allowed hackers to access some of the most valuable and sensitive personal information on the planet.
A week after Equifax first received the Apache Struts alert from DHS, a scan that “should have identified any systems that were vulnerable” didn’t, leaving the vulnerability in place, Smith told Congress in October. Equifax didn’t notice suspicious activity within its systems until July 29.
Equifax has said hackers gained access to the company’s systems from May 13 to July 30 of last year.
In the release, Ying alleged texted a colleague on Aug. 25 about the breach saying “Sounds bad. We may be the one breached.”
Days later, Pak’s office said Ying searched on the web about Experian’s 2015 data breach and its effect on the credit bureau’s stock price. The same day, prosecutors say Ying exercised his stock options for more than 6,800 shares, which he allegedly sold for proceeds of more than $950,000, and a profit of more than $480,000.