The US Securities and Exchange Commission (SEC) has charged former Equifax executive Jun Ying with insider trading saying he sold stock based on confidential company information enabling him to avoid more than US$ 117,000 (£83,944) in losses.
Ying, who was the chief information officer for Equifax's US business unit, sold stock in advance of the company's September 2017 announcement that it had suffered a massive data breach affecting almost 148 million people worldwide. The SEC said in its complaint that Ying used information that was privy to himself to conclude that a major data breach had taken place and to sell the stock he owned in the company.
“The SEC alleges that before Equifax's public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly US$ 1 million (£717,540). According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than US$ 117,000 (£83,944) in losses,” the SEC said in a statement.
The charges specifically say Ying violated the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief.
The data breach was caused by the exploitation of a vulnerability in open-source server software Apache Struts. Former Equifax CEO and Chairman Richard Smith in October told the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection that Equifax learned of the Apache Struts vulnerability from US CERT earlier in March 2017 and then twice searched for any issues in its networks coming up empty each time and thus allowing the flaw to remain unpatched in its Consumer Dispute Portal.
In the immediate aftermath of the data breach becoming public knowledge the worldwide Smith and the company's CIO and CSO all retired.