The ongoing fallout from last summer's Equifax breach that exposed personal information of more than 145 million customers took a startling turn Wednesday: Former CIO Jun Ying was indicted for insider trading based on allegations he sold more than $950,000 worth of company stock days before the company publicly announced the breach.
Ying's indictment should serve as further example of the gravity of data breaches and how companies' corporate culture plays a big role in proper breach response, experts said.
"Insider trading is insider trading -- others should remember that if they violate this law, they will be held to account," TCE Strategy CEO and cybersecurity expert Bryce Austin said. "They need to act accordingly -- data breaches have real potential losses to an organization."
Hackers that breached the Atlanta-based consumer credit reporting agency acquired names, social security numbers, birth dates and addresses for Equifax's U.S. customers. As the Equifax CIO of U.S. information solutions at the time of the breach, Ying learned information that helped him determine that Equifax was the victim of the large data breach before the breach was made public, according to the Department of Justice.
The DoJ alleges that on Aug. 25, 2017, Ying texted a co-worker the following: "Sounds bad. We may be the one breached ... Starting to put 2 and 2 together." The DoJ's indictment alleges that on August 28, Ying conducted web searches inquiring how Experian's 2015 data breach influenced its stock price. Later that day, Ying exercised all of his available stock options and he received 6,815 shares of Equifax stock. He then sold the stock, receiving proceeds of over $950,000 and a gain of more than $480,000, according to the DoJ.
Equifax publicly announced the breach on Sept. 7, and its stock price fell soon after.
"It's definitely something regulators are looking out for -- breaches have become common enough that one of the first activities of outside parties is to view the impact of the breach on the stock," Forrester Research analyst Jeff Pollard said.
Trading by other Equifax executives at the time of the breach was scrutinized: Three other executives sold large amounts Equifax stock before news of the breach became public, netting $2 million in profits. The executives were cleared of any wrongdoing last year by a special committee formed by Equifax's board of directors, and none of these executives were mentioned in the DoJ's complaint against Ying.
Organizations that pride themselves on being transparent with customers have learned that a rapid breach response that focuses on the victims -- customers and employees -- helps mitigate negative fallout when a hack occurs, Pollard added.
"You can learn quite a bit about how a company functions on the inside by how it responds to a breach," Pollard said. "Any culture that promotes an atmosphere of 'we win together but lose as an individual' is not going to do a good job of handling a breach; those cultures want scapegoats."
Austin agreed, noting that while he is happy federal regulators are conducting their due diligence on the Equifax breach, Ying's violations should also be judged as a reflection of Equifax's overall operations.
"I'm more frustrated with the lack of overall accountability of Equifax as an organization," Austin said. "It would not surprise me if more indictments were to come."
Both Austin and Pollard said that while they had never heard of an IT executive being charged with insider trading following a data breach, they are convinced smaller scale incidents like it have occurred in the past.
As a result, the charges against the former Equifax CIO could serve as a precedent -- and a warning -- for other modern, tech-centric companies. For example, Pollard said he was surprised more companies don't have more senior and junior leaders participating in 10b5-1 plans, the U.S. Securities Exchange Commission (SEC) guidelines designed to help prevent insider trading.
"Given the technology-intensive nature of breaches and breach response, it's inevitable that word will spread internally through games of 'telephone' -- which is almost exactly what happened last year," Pollard said.
Ying, 42, worked at Equifax from January 2013 until October 2017. The former Equifax CIO was indicted by a federal grand jury on March 13. He will be arraigned on the charges this week before U.S. Magistrate Judge Linda T. Walker. The case is also being investigated by the FBI; and the Securities and Exchange Commission also made contributions to the case, according to the DoJ.