A former software developer for Equifax, Sudhakar Reddy Bonthu, faces insider trading charges related to the company’s massive data breach last year, according to the SEC and federal prosecutors. Allegedly, in August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu’s bosses described as a major project for one of the company’s clients who suffered a major breach that exposed details of over 100 million users.
Unknown to Bonthu at the time, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users. Bonthu was tasked with creating “an online user interface into which users could input information to determine whether they had been impacted by the breach.” According to court documents, he was told that “the project was a high priority for the unnamed company and had a short deadline because the client intended to ‘go live’ on September 6, 2017, with the breach remediation applications designed by Equifax.”
To create the website, which later turned out to be equifaxsecurity2017.com, Bonthu was given test data and was included in mailing lists exchanging information about the still-secret breach. SEC investigators say that Bonthu concluded on his own that the secret client in Project Sparta was in fact Equifax itself.
In an attempt to obstruct his trail he used his wife’s trading account, wherefrom he purchased eighty-six out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share. Bonthu made this purchase despite the fact that Equifax’s policies expressly prohibit any trading in derivative securities, including put and call options.
By purchasing out-of-the-money put options, Bonthu could make money only if the market price of Equifax stock were to drop below the put option strike price before the contract expired approximately two weeks later, on September 15. If the market price did not so drop, the put options would expire and his investment would be worthless.
On September 8, the price of Equifax common stock closed at $123.23, a drop of $19.49 (nearly 14%) per share from the prior day’s closing price of $142.72. […] As a result of the precipitous drop in Equifax’s share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days. In sum, Bonthu’s ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500% on his initial investment.
The SEC says Bonthu had never previously traded in Equifax options. Equifax fired Bonthu in March 2018 after he allegedly refused to cooperate on an internal investigation on charges that he violated the company’s insider trading policy. Bonthu has agreed today to a permanent injunction and to return ill-gotten gains plus interest. If the settlement is approved by a judge, this will terminate SEC civil charges.
The equifaxsecurity2017.com website, on which Bonthu worked, has been deemed one of the most poorly put together breach notification sites in recent years, with several issues affecting it.
He is the second Equifax employee charged with insider trading after Equifax’s breach last year. Earlier this March the SEC charged former CIO of Equifax U.S. Information Solutions Jun Ying. Equifax says it tipped off the Department of Justice and the SEC to Ying’s alleged insider trading.
Although Ying wasn’t directly told that Equifax had been breached, he was assigned to assist Equifax’s Global Consumer Solutions unit with what was billed as “a business opportunity for an unnamed client,” code-named Project Sparta, according to court documents. The project was designated as “urgent,” and everyone participating, including Ying and his team, were instructed to cancel their Friday evening plans and respond to all requests.
At 5:27 p.m. that day, Ying texted a co-worker that the breach they were working on “sounds bad” and noted: “We may be the one breached. . .. Starting to put 2 and 2 together,” according to the SEC complaint. Later that evening, Ying learned that Equifax’s CSO, chief legal officer and vice president of cybersecurity had all canceled their travel plans, it adds.
The following Monday, around 10 a.m., “Ying used a search engine to find information on the internet concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that breach had on Experian’s stock price,” according to the complaint. “The search terms used by Ying were: (1) ‘Experian breach’; (2) ‘Experian stock price 9/15/2015’; and (3) ‘Experian breach 2015.’
“This defendant took advantage of his position as Equifax’s USIS chief information officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” says U.S. Attorney Byung J. “BJay” Pak. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner. By selling when he did, Ying avoided losses in excess of $117,000.”
Earlier this month, Equifax revised its estimate of the breach’s impact to 147.9 million U.S. consumers. About 15 million U.K. consumers – of which about 860,000 are at risk of identity theft – and 8,000 Canadian consumers also saw their personal information get breached (see Equifax Breach Victims: UK Count Goes Up).
I identified Equifax’s control gaps and conflict of interest in a post shortly after the breach in 2017. I suspected then as I do now that more people will be charged related to conflict of interest with LifeLock identity theft protection.
Information sourced from Tara Siegel Bernard for the New York Times, Allison Prang for the Wall Street Journal, and the associated press. Curated and edited by Jeremy Swenson of Abstract Forward Consulting.