SEC complaint reveals new details of Equifax’s response to breach

Channel 2 News learned text messages played a role in the investigation.

A Securities and Exchange Commission insider trading complaint against a former Equifax executive offers new insights into how the Atlanta-based credit bureau responded to the hacking last year that exposed the sensitive information of more than 140 million Americans.

The company previously revealed hackers gained access to its systems from May 13 to July 30, and after that, it retained security consultants and a law firm to help determine the scope of the breach. The company also alerted federal authorities.

But in the civil complaint against former executive Jun Ying, the SEC offered new details of how the company reacted, designating its overall response to the breach as “Project Sierra” and the notification plan for millions of affected consumers “Project Sparta.”

The two-pronged approached limited how many people knew the full extent of the breach or that Equifax itself was the target of cyber-criminals.

Ying, 42, then the chief information officer of an Equifax division known as U.S. Information Solutions, was not initially involved in the breach response, the SEC complaint says.

Jun Ying, former chief information officer of an Equifax division known as U.S. Information Services, is accused of selling more than $950,000 in stock before the data breach was made public.

icon to expand image

Ying was indicted this week in a separate criminal complaint alleging insider trading for selling nearly $1 million in stock after gaining knowledge of the breach before it became public. Lawyers for Ying declined to comment. He is scheduled to make an initial appearance before a judge on Thursday.

In the indictment, prosecutors allege that, “on or about” Aug. 15, after Equifax determined that sensitive consumer data had likely been stolen, the company “imposed a special trading blackout date for employees who were aware of the breach.”

At the time, Ying was not among them, and it’s not clear how many Equifax employees were.

On Aug. 25, an email was sent to top information technology officials within the company, including Ying, the SEC complaint said. It was part of Project Sparta, and alerted the IT officials of a “very large breach opportunity” with a time-sensitive deadline.

IT officials were also told to cancel their plans that evening, a Friday, to respond to Project Sparta.

Credit bureaus such as Equifax routinely help corporate customers who have been hacked by providing credit monitoring services to affected consumers.

The SEC complaint says Ying pieced together that Equifax had been hacked through texts, calls and other communications that day.

In a text to a colleague on Aug. 25, Ying allegedly wrote: “On the phone with [global CIO]. Sounds bad. We may be the one breached. … Starting to put 2 and 2 together.”

The SEC alleges that “Ying used the information entrusted to him as an Equifax employee to conclude that Equifax was the victim of the breach, and that the ‘breach opportunity’ idea suggesting a client was the victim was merely a cover story.”

Later in the day, Ying and his boss discussed a breach response plan, which called for offering credit reports for 50 million people, and that it would strain Equifax’s resources.

The breach ultimately exposed the personal information of about 148 million people.

MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.

AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.