Regulatory fallout continues to haunt the consumer credit reporting agency as Sudhakar Reddy Bonthu, a software engineer, became the second Equifax employee to be charged with insider trading.
According to the Securities and Exchange Commission (SEC) complaint (see here for document), Bonthu - based on information he received over a one week span - concluded that Equifax had suffered a massive security breakdown. Bonthu proceeded to buy options in Equifax’s stock, using his wife’s brokerage account, prior to the data breach announcement. When Equifax disclosed the breach on September 7th, 2017 and saw its stock price plummet the next day, the software engineer was left with a cool $75,000 profit, according to SEC documents. Upon entering his guilty plea, Bonthu reached a settlement with the SEC, and is scheduled to be sentenced on October 18th, 2018.
Bonthu joined Equifax’s former US Chief Information Officer (CIO), Jun Ying, as the other employee charged with insider trading. When Ying realized that Equifax had suffered a material data breach, Ying sold all his vested Equifax stock to avoid incurring losses when the breach was subsequently disclosed. In March 2018, Ying was charged by the SEC for insider trading (see here for document).
In this case, we have two examples where the first thought of insiders - tasked with IT security – was to use insider knowledge of a cyber breach to profit. Another lesson that rogue employees can be the weakest link in an organization’s security posture.