“Sounds bad”, the former Equifax CIO wrote in a text after learning of the breach that ended up affecting almost half the US population.
The Equifax debacle is in the news again, as a former executive of one of the firm’s business units was sentenced to four months in prison last week for capitalizing on early knowledge of the massive security incident two years ago, according to a press release by the US Department of Justice (DOJ).
Jun Ying, the former Chief Information Officer (CIO) of Equifax’s US Information Solutions division, pled guilty back in March to selling his shares in the credit bureau. He admitted to dumping his stock after becoming aware of the breach but before it was disclosed a week and a half later.
This ultimately earned him the prison sentence, which was imposed last Thursday, as well as a fine of US$55,000. He was also ordered to pay restitution worth some US$117,000 and the prison time will be followed by a year of supervised release.
According to MarketWatch citing a court filing, prosecutors were seeking a longer jail time – a year and three months, as well as a $75,000 fine and the restitution worth US$117,000.
As retold in detail by the DOJ, Ying knew full well what he was doing when becoming aware of the hack, and acted with alacrity:
On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on “sounds bad. We may be the one breached.” The following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.
The breach at Experian, a competitor to Equifax, affected up to 15 million people.
Meanwhile, the breach at Equifax was eventually found to affect up to 148 million people. One in every two Americans, as well as hundreds of thousands of Canadians and Brits, had a range of sensitive information, including names, social security numbers, birth dates and addresses, siphoned by hackers. As we recalled a few weeks ago, the incident was facilitated by a critical vulnerability in the Apache Struts web application framework for which a patch was issued on March 6, 2017 but which Equifax failed to install in time.
Ying is the second former Equifax executive to face the music over insider trading relating to the data breach. Last October, former Equifax software product development manager Sudhakar Reddy Bonthu was sentenced to eight months of home confinement, fined $50,000, and made to give back his ill-gotten gains.
written by Tomas Foltyn, ESET We Live Security