A former Equifax executive was charged with two counts of insider trading this week following allegations that...
he used confidential information about the massive 2017 data breach to sell his shares of the company before the breach was made public.
Jun Ying, former CIO of Equifax's U.S. Information Systems business unit, faces civil charges from the Securities and Exchange Commission and criminal charges brought by the U.S. Attorney's Office for the Northern District of Georgia. The SEC alleges that Ying committed securities fraud through insider trading. Before Equifax's public disclosure of the data breach that affects 148 million U.S. consumers, Ying exercised all of his vested Equifax stock options and sold the shares for almost $1 million.
In the statement of facts in the complaint submitted to the U.S. District Court for the Northern District of Georgia, Atlanta division, the SEC alleges that Ying figured out that Equifax had been breached on Friday, Aug. 25, 2017, and on Monday, Aug. 28, 2017, he accessed his company-sponsored stock plan account, exercised all of his vested options to buy Equifax shares and immediately sold those shares, avoiding losses of over $117,000.
Ying was not officially notified of the Equifax data breach until Aug. 30, 2017, two days after he sold his shares. The public disclosure followed on Sept. 7.
According to the complaint, after Equifax learned about the breach, it formed two separate teams, Project Sierra and Project Sparta, to deal with breach response. The Project Sparta team was not told that it was Equifax itself that had been breached; they were instead told that they were working for an "unnamed client" that had experienced a large data breach. Ying was not a part of either team.
As part of Project Sparta, an email was sent to select Equifax IT employees and CIOs of select business units, including Ying. Since the Equifax employees who were part of Project Sparta didn't know their "unnamed client" was actually Equifax, the email to Ying only said that a client had a "VERY large breach opportunity" and that steps needed to be taken immediately in response. According to the complaint, Ying resisted this call to action until he was directed to by his superior, the global CIO of Equifax. Though the global CIO reportedly remained vague with the details, Ying then texted a colleague and said "On the phone with [global CIO]. Sounds bad. We may be the one breached... Starting to put 2 and 2 together."
Ying was left to put the pieces together himself as to what was happening. His conclusions allegedly led him to partake in insider trading.
Equifax did not inform its high-level executives, including Ying, that there had been a data breach until two days after Ying sold all of his shares in the company.
In other news
- A judge has denied Yahoo's request for the dismissal of a lawsuit against it over its massive data breaches. The lawsuit covers many claims ranging from negligence and breach of contract following its 2013 and 2016 data breaches that exposed the personal information of all 3 billion Yahoo users. U.S. District Judge Lucy Koh in San Jose, Calif., ordered Yahoo to face much of the claims despite its parent company Verizon's request that it be dropped. Yahoo stands accused of taking too long to notify users that their personal information had been stolen in a data breach, thus putting the users at greater risk. The data breaches were only discovered during Verizon's bid to acquire Yahoo.
- Microsoft started a limited-time bug bounty program specifically for speculative execution side channel vulnerabilities, like the Meltdown and Spectre CPU flaws disclosed in January. The bug bounty program will run until Dec. 31, 2018, and the rewards can get up to $250,000 depending on the type and severity of the vulnerability. "Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods," Phillip Misner, principal security group manager at Microsoft Security Response Center said in the blog post announcing the program. "This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues."
- U.S. President Donald Trump blocked Broadcom's acquisition of Qualcomm in a presidential order, citing national security as the reason for the move. The acquisition was set to be one of the largest deals in the technology industry to date. According to a report from Reuters, a White House official said that allowing the acquisition would risk America's lead in creating new technology and setting standards for mobile communication. Broadcom is based in Singapore and Qualcomm is based in San Diego, Calif. A White House official also confirmed that the national security concerns were related to the risks of Broadcom's relationship with third-party foreign entities.