A former Equifax executive who was in line to become global chief information officer has been accused of insider trading by federal authorities for allegedly dumping thousands of shares of the company's stock after a massive data breach at the credit reporting firm last year.
In a lawsuit filed Wednesday, the Securities and Exchange Commission said Jun Ying — at the time chief information officer of a U.S. unit — sold about 6,800 Equifax shares after he learned of the breach, but before the company had announced it publicly, amounting to an illegal trade based on insider information.
In addition to the civil suit brought by the SEC, Ying is facing criminal fraud charges from the Department of Justice. He was indicted by a federal grand jury Tuesday and is set to be arraigned this week.
Ying's attorneys declined to comment.
Ying sold his Equifax shares Aug. 28 for about $950,000. The SEC estimated that had he sold those shares after the breach was made public in September, he would have made $117,000 less. It also alleged that Ying sold shares shortly after researching how a smaller data breach in 2015 affected the stock price of Experian, an Equifax competitor.
Ying, 42, an Atlanta resident, resigned from the company in October after Equifax found he had violated its internal insider-trading policy and threatened him with termination, according to the SEC lawsuit.
The Equifax breach, announced Sept. 7, is one of the largest ever corporate data breaches and caused the Atlanta-based company's share to plunge in value.
The credit-reporting company said that the personal information of 145.5 million consumers had been compromised, including names, Social Security numbers, birth dates, addresses and — in some cases — driver's license numbers and credit card numbers. It also said the personal information from thousands of dispute documents was accessed.
However, earlier this year, the company told the Senate Banking Committee that a forensic investigation found criminals accessed other information. That included tax identification numbers, email addresses and phone numbers. Details, such as the expiration dates for credit cards or issuing states for driver's licenses, were also included in the list.
Also, just this month, the company said 2.4 million more people were affected by the breach, though the additional identified victims did not have their Social Security numbers compromised.
Paulino Do Rego Barros Jr., the company's interim chief executive, issued a statement Wednesday that the company launched a review of Ying's sales on its own, "separated" him from the company and reported its findings to authorities.
"We are fully cooperating with the DOJ and the SEC, and will continue to do so. We take corporate governance and compliance very seriously, and will not tolerate violations of our policies," the statement said.
Ying, who began working for Equifax in 2013, was considered a potential successor to the company's global chief information officer, and was offered the job a week after the breach was disclosed publicly, according to the SEC's complaint.
On Aug. 25 — more than a week before Equifax publicly announced the breach — Ying deduced that the company had been the target of a breach, the SEC alleges.
Equifax had not yet made clear to Ying that it itself had been breached, but told him it was responding to a "VERY large breach opportunity" at an unnamed company, the SEC lawsuit says. The suit details a string of phone calls, meetings and text messages that day, in which Ying said he was "starting to put 2 and 2 together."
The following Monday, Aug. 28, Ying exercised options to buy 6,815 shares of Equifax stock, then immediately sold those shares. Just before selling those shares, the SEC alleged, Ying reviewed stock information that showed Experian shares had dipped 4% after that company's data breach.
The next day, Aug. 29, Ying was officially informed that Equifax had been the target of the breach, according to the SEC suit.
The SEC wants Ying to pay back the $117,000 in illegal gains it says he made by selling shares before the breach was publicly announced. It also wants him to pay an unspecified fine and to be prohibited from serving as an officer of a publicly traded company.
Ed Mierzwinski, consumer program director for U.S. Public Interest Research Group, said the SEC's lawsuit against Ying paints a picture of slapdash procedures at Equifax that likely allowed other employees to know of the data breach before it was publicly announced.
"They'll throw him under the bus, but their practices in attempting to prevent insider trading don't seem that good," he said. "It just goes to show that the company had a really sloppy culture. It's clear you didn't have to be super smart or super sophisticated to figure this out."
In September, the U.S. Justice Department opened a criminal investigation into whether top officials at Equifax had violated insider trading laws in connection with the breach.
Three Equifax Inc. senior executives — Chief Financial Officer John Gamble, and Presidents Joseph Loughran and Rodolfo Ploder — sold shares worth almost $1.8 million in the days after the company discovered the breach. Equifax has said those three executives had not been informed of the incident when they initiated the sales.
Richard Smith, then chief executive, stepped down a few weeks after the breach was disclosed. He was later dragged before congressional hearings in October, during which he blamed the breach on "human errors and technology errors" and was berated by angry lawmakers, who indicated a desire to tighten cybersecurity laws.
In response to the breach, Equifax has offered free credit freezes through June 30. A credit freeze allows consumers to block access to their credit reports from new lenders, making it more difficult for identity thieves to open accounts using stolen data.
This month, a congressional hearing was held on a draft bill to create national standards for breach notifications, but consumer advocates have attacked the legislation as a move backward, at least in part because it would preempt tougher standards already in place in some states.
"One guy has been indicted for insider trading, but they haven't been held accountable," Mierzwinski said. "Meanwhile, they're getting Congress to eat from their hand."
The Associated Press and Times columnist David Lazarus contributed to this report.
Bloomberg contributed to this report.
2:25 p.m.: This article was updated with Ying being charged with fraud, according to the criminal indictment.
12:15 p.m.: This article was updated with more details about the data breach, a statement from Equifax and comments from Ed Mierzwinski, consumer program director for U.S. Public Interest Research Group.
9 a.m.: This article was updated with more information from the SEC lawsuit and information about criminal charges.
8:20 a.m.: This article was updated with Los Angeles Times staff reporting.
7:55 a.m.: This article was updated with additional details about the allegations against Jun Ying and background information about Equifax.