Jun Ying accused of dumping stock options prior to September 2017 breach disclosure

UPDATED An Equifax executive who was tipped to become the credit rating agency’s next global chief information officer has been charged with insider trading.

In a statement released today, the Securities and Exchange Commission (SEC) said it has charged Jun Ying, a former CIO of a US business unit of Equifax, with insider trading prior to the group’s data breach announcement in September 2017.

According to the SEC’s complaint, Ying allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.

The SEC alleges that before Equifax’s public disclosure of the data breach, Ying “exercised all of his vested Equifax stock options” and then sold the shares, reaping proceeds of nearly $1 million.

According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses.

“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard Best, director of the SEC’s Atlanta Regional Office.

In a statement posted to the company’s website, Equifax’s interim CEO Paulino Do Rego Barros said: “Upon learning about Mr Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company, and reported our findings to government authorities.

“We are fully cooperating with the DOJ and the SEC, and will continue to do so. We take corporate governance and compliance very seriously, and will not tolerate violations of our policies.”

Six months and counting

It’s now been six months since Equifax provided details of a massive data breach, which is said to have taken place in July 2017.

The credit rating agency originally estimated that 145.5 million people in the US and almost 700,000 people in the UK had been impacted, but these figures were later revised to around 147.9 million people worldwide.

Back in September, the Atlanta-based firm confirmed that customer names, social security numbers, birth dates, addresses, and – in some instances – driver’s license numbers and credit card numbers had been compromised.

In a recent earnings release, Equifax said it expects $275 million in costs related to the cybersecurity incident, offset by $75 million insurance.

Larry Ponemon, chairman of Ponemon Institute, said it could be the “most expensive data breach in history”.

Parallel charges

The US Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying, who was purportedly next in line to be Equifax’s global CIO.

The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit,” said Best.

This article has been updated to include comments from Equifax.