Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
Equifax Coder Settles Insider Trading Charges With SECSoftware Engineer Profited From Breach Knowledge, Regulator Alleges
An Equifax software engineer has settled an insider trading charge with the U.S. Securities and Exchange Commission, after he allegedly earned more than $75,000 after he made a securities transaction based on his suspicion that the credit bureau had suffered a data breach.
Sudhakar Reddy Bonthu, 44, of Cumming, Georgia, was a product development manager of software engineering within Equifax's Global Consumer Solutions business unit.
Equifax fired Bonthu on March 12 after he refused to cooperate with internal investigation into violations of the company's insider trading policies.
"Bonthu owed a duty of trust and confidence to Equifax and its shareholders not to trade on the basis of material non-public information that he learned through his employment with Equifax, and was aware of his duty," according to the SEC complaint.
As part of the settlement, Bonthu has agreed to return the $77,333.79 he allegedly earned, plus interest. He also agreed to a permanent injunction. But he still faces criminal charges filed by the U.S. Attorney's Office for the Northern District of Georgia.
Second Employee Charged
Bonthu is the second Equifax employee to be charged with trading on non-public information.
In March, the SEC charged Jun Ying, 42, the former CIO of Atlanta-based Equifax U.S. Information Solutions, with committing securities fraud by engaging in illegal insider trading. Ying has also been indicted in federal court in the Northern District of Georgia (see SEC Charges a Former Equifax CIO With Insider Trading).
Equifax's breach stands as one of the largest breaches of sensitive data in history. Attackers stole personal information pertaining nearly 147 million U.S. individuals, including Social Security numbers, birth dates, addresses and in some cases, driver's license numbers. Also, 15.2 million U.K. records were exposed along with 8,000 Canadian records. The breach ranks as one of the largest and most sensitive ones on record (see Ousted Equifax CEO Faces 3 Congressional Hearings).
Concerns about executives possibly executing illegal trades abounded soon after Equifax announced the breach on Sept. 7.
An Equifax investigation, commissioned by the company's board of directors, found that four top executives, including Equifax's CFO, collectively sold $1.8 million in shares after some people in the company knew of a breach. But all four sought permission from the company before selling shares, and none knew of the breach before seeking that permission (see Equifax: Share-Selling Executives Didn't Know About Breach).
The SEC subsequently called on all publicly traded companies to tighten their insider trading rules (see SEC Releases Updated Cybersecurity Guidance).
How did Bonthu, an Equifax software engineering product development manager, suspect that his employer had been breached?
Around July 29, 2017, when Equifax's security team first suspected that the company had suffered a data breach, the information was tightly held. The company created an internal team, dubbed Project Sparta, to create a notification and remediation plan, according to the SEC complaint.
Bonthu was on that team. He was tasked with developing a user interface for people to figure out if they were affected by the breach. Bonthu also created an algorithm to remind people to come back to Equifax's website to register for identity protection services offers as a result of the breach.
Equifax told the team that it was working on the plan for "an unnamed potential client that had experienced a large data breach," the complaint says.
In late August, Bonthu saw emails that indicated the breach affected 100 million consumers. He correctly guessed that his employer was in fact the breach victim.
On Sept. 1, 2017, he used his wife's brokerage account to buy 86 "out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share," the SEC's complaint says. The options cost him $2,166.11.
If Equifax's stock dropped to $130 by that date, Bonthu would make money. If the stock didn't go down, he would lose. On Sept. 8 - a day after the breach was announced - Equifax's stock fell 14 percent to $123.23.
Bonthu then sold his put option contracts.
"As a result of the precipitous drop in Equifax's share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days," the SEC's complaint says. "In sum, Bonthu's ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500 percent on his initial investment."