Equifax executive indicted for alleged insider trading after hacking

A former Equifax executive was indicted this week for insider trading for allegedly selling nearly $1 million in stock before the company announced a massive data breach.

Jun Ying, the former chief information officer of an Equifax division known as U.S. Information Solutions (USIS), is accused of selling more than $950,000 in stock before the public was told that the personal information of more than 140 million Americans was exposed in the breach, according to U.S. Attorney Byung “BJay” Pak.

The Securities and Exchange Commission said Ying used confidential information to avoid more than $117,000 in potential losses in the value of his stock.

Attorneys for Ying declined to comment.

The case against Ying — a rising star who was “next in line” to become Equifax’s global CIO, the SEC said — is the first known criminal charge since the breach became public last September.

The maximum penalty for the crime is 65 years in prison, according to Pak, who spoke to reporters Wednesday afternoon outside the Richard B. Russell Federal Building downtown.

Joined by officials from the SEC and FBI, Pak would not close the door on the chance of more indictments.

“There is an ongoing investigation,” he said. “We are looking at every aspect. … If there is a violation of the law, my office and that of the SEC will bring enforcement action.”

Pak declined to offer a timeline of the investigation or detail the events that sparked prosecutorial interest.

“Let’s just say that something prompted us to seek a subpoena,” he said.

That subpoena included a demand to see Ying’s trading records and to access his computer.

In a statement Wednesday, Equifax implied that it had acted to check out Ying’s trades before ever hearing from federal officials. Equifax also emphasized that it has been cooperating with the U.S. attorney’s investigation.

Richard Best, Atlanta-based regional director of the SEC, said the crime of insider trading is an attack on the integrity of the financial system.

“It hurts the markets,” he said. “They depend on trust that everybody is getting information at the same time.”

Ying, 42, of Atlanta, is expected to be arraigned on Thursday. He was indicted by a federal grand jury on Tuesday.

USIS provides consumer and corporate information to lenders and other clients, and it also provides fraud and identity management services. The company accounted for about a third of Equifax’s $3.36 billion in operating revenue in 2017.

A biography of Ying on the website of the Atlanta Association of Information Technology Professionals states that he led USIS’s “[information technology] strategy and execution, ensuring technology investments and product development are aligned with Equifax’s growth and innovation agenda.”

He joined Equifax’s senior IT leadership in July 2013.

Trades examined

The breach became public in September when Equifax said its systems had been hacked and the personal data of more than 140 million Americans, including names and Social Security numbers, had been compromised.

The breach triggered probes by the feds and a coalition of state attorneys general, including Georgia Attorney General Chris Carr. The SEC launched an examination into trading activity by Equifax insiders after the company discovered the breach.

Last September, federal investigators began analyzing the trading of Equifax stock after Bloomberg revealed stock sales by Chief Financial Officer John Gamble and the heads of two Equifax business units, Joseph “Trey” Loughran and Rodolfo Ploder. Collectively, they sold $1.8 million in stock in early August.

In November, Equifax announced the trades by the three officers and a fourth executive, Douglas Brandberg, were not instances of insider trading. A review by an independent committee of the Equifax board found “none of the four executives had knowledge of the incident when their trades were made [and] that pre-clearance for the four trades was appropriately obtained.”

That company examination was separate from the one that uncovered Ying’s alleged trades.

Equifax Interim CEO Paulino Do Rego Barros Jr. said a a statement that after learning of Ying’s trades, Equifax “concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities.”

“We are fully cooperating with the (Department of Justice) and the SEC, and will continue to do so,” the CEO’s statement said.

The cyber-heist led to the departure of former Chairman and CEO Rick Smith and a handful of other top executives, and Equifax has promised reforms in its business and data security apparatus.

Though the breach drew outrage from many on Capitol Hill, little has been accomplished at the federal level since the hacking, in terms of consumer protection.

Back in March 2017, the U.S. Department of Homeland Security alerted Equifax to the need to patch a vital software application used on its websites.

Smith, Equifax’s former CEO, told Congress in October the alert was sent the next day via email to the Equifax personnel who oversee security of the application, known as Apache Struts. Equifax’s policy is such security updates be made within 48 hours.

But in this case, it wasn’t.

That vulnerability allowed hackers to access some of the most valuable and sensitive personal information on the planet.

‘Sounds bad’

A parallel SEC civil complaint outlines how authorities believe Ying discovered Equifax was the victim of hacking before he was officially informed by company leadership and sold his shares as Equifax prepared to inform consumers.

The SEC lawsuit said Ying was not aware Equifax had been breached until August.

On Aug. 25, his group was told to prepare to manage a “breach opportunity.”

Credit bureaus such as Equifax are routinely tasked with helping other companies protect consumers when cybersecurity incidents occur, including providing credit monitoring services.

That same day, the SEC complaint alleges, Ying pieced together that Equifax’s systems had been targeted.

In the complaint, Ying allegedly texted a colleague about the breach, saying, “Sounds bad. We may be the one breached.”

A few days later, Pak’s office and SEC complaint allege, Ying searched on the web about Experian’s 2015 data breach and its effect on the rival credit bureau’s stock price.

He then exercised his stock options for more than 6,800 shares, which he sold for proceeds of more than $950,000, and a profit of more than $480,000, the complaint said.

Ying was not officially informed of the breach until Aug. 30, two days after authorities said he sold his shares. The SEC alleges Ying was told by a lawyer for Equifax the breach information was confidential and he should not trade shares.

Ying “did not volunteer” he’d already sold his shares, the SEC complaint said.

On Sept. 15, after Equifax’s global CIO resigned, Ying was offered the company’s top CIO job. But the SEC said that offer was rescinded after an internal Equifax probe of Ying’s stock trades. Ying resigned on Oct. 16 in lieu of termination.

The Story So Far

Previously: Atlanta-based credit bureau and technology company Equifax announced in September its systems had been breached and the personal information, including Social Security numbers, of more than 140 million Americans had been exposed to criminals.

The latest: A senior Equifax executive, Jun Ying, the former chief information officer of Equifax's U.S. Information Solutions, has been indicted for alleged insider trading for selling stock before the breach became public.

What's next: Investigations of the hack continue by the attorneys general of the 50 states and the federal government. A nationwide class action lawsuit against Equifax also is in progress.


AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.