”Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” Richard R. Best, Director of the SEC’s Atlanta Regional Office, said in a statement.
Equifax disclosed last year that hackers had obtained sensitive information, including Social Security numbers and dates of birth, for more than 143 million people. The breach began in May and was discovered by the company July 29.
According to the complaint, Equifax began assembling teams, “Project Sierra” and “Project Sparta” to respond to the breach. At the time, Ying, 42, had worked at Equifax since 2013 and was a leading candidate to become its global chief information officer. But he was not initially part of either team responding to the breach.
Then in late August, according to the complaint, Ying began to realize the company had been victim of a major theft. After a call with a high-ranking executive, Ying texted to a colleague: “Sounds bad. We may be the one breached. … Starting to put 2 and 2 together.”
A few days later, Ying searched online to determine how a major cyberbreach had affected the stock price of one of Equifax’s competitors, Experian. Within an hour of discovering how Experian’s stock price had suffered after a much smaller hack, Ying exercised all of his vested Equifax stock options, according to the complaints. He then sold those shares for nearly $1 million.
The next day, according to the indictment, Ying texted a friend: “I think some big media announcement is coming about us. … I think it might be bad.” Nine days later Equifax publicly announced that it had been breached, sending its stock price plummeting. If Ying had waited until news of the breach was made public, he would have suffered losses of $117,000, according to the SEC complaint.
“The alleged actions of this defendant undermine the public’s confidence in the nation’s stock markets,” David J. LeValley, special agent in charge of the FBI’s Atlanta division, said in a statement.
Ying’s attorney declined to comment.
The company dismissed Ying after learning about the trades and is cooperating with federal authorities, Equifax said in a statement. “We take corporate governance and compliance very seriously, and will not tolerate violations of our policies,” said Equifax’s interim Chief Executive Officer, Paulino do Rego Barros Jr.
Trading by other Equifax executives had also come under scrutiny. Chief Financial Officer John W. Gamble; Joseph M. Loughran III, president of U.S. information solutions; and Rodolfo O. Ploder, president of workforce solutions, sold large amounts of their shares of Equifax stock before news of the breach became public, and they made $2 million in profits. A special committee formed by Equifax’s board of directors investigated the matter and cleared those executives of wrongdoing last year. Also, none was mentioned in the complaints filed Wednesday against Ying.
The news is likely to renew complaints that Equifax hasn’t paid a high enough price for the breach. The company bungled its initial response, including a post on its Twitter page that mistakenly directed consumers in search of help to a fake site pretending to be Equifax. Its former chief executive Richard Smith was repeatedly hauled before Congress for lengthy hearings. Earlier this month, Equifax said that 2.4 million more consumers than previously reported were affected by the massive data breach, bringing the total of those affected to as many as 147.9 million consumers or about half the country.
But the government response has been largely muted so far. Despite numerous investigations, the firm has not been fined or charged for its conduct related to the breach. “Years from now, there are going to be families who can’t get home loans, families who have terrible credit scores, and families who are stuck fighting fraudulent charges because of Equifax,” Sen. Ben Sasse (R-Neb.) said in a statement. “Someone has to answer for this.”