On July 29, Equifax determined that it had been subject to an IT breach that included sensitive information. A crisis team was formed to determine the scope of the intrusion and begin a notification and remediation plan. Many of the employees who were working on this project were not told the company’s systems had been attacked, rather, they believed they were working for an unnamed potential client that had experienced a large data breach.
This was the case for a software product development manager working at a unit of the company which sold personal security and identity theft defense products and services to clients. Through this work, he learned that the breach impacted at least 100 million consumers.
Within a few days, he concluded that Equifax itself was the victim of the breach. In his wife’s account, he purchased 86 out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of two weeks and a strike price of $130 a share, $10 below the share price that day. The total price was $2,166.11. The company’s policy expressly prohibits any trading in derivative securities.
The day after Equifax announced the breach, on September 7, the price of the stock closed at $123.23, a drop of nearly 14% from the prior day. The employee sold all of his options the next day, making a net profit of $75,167.68, a return of more than 3,500% on his initial investment.
The former employee, whose employment has since been terminated because he refused to cooperate in the investigation, has agreed to a permanent injunction and disgorgement with the SEC. The U.S. Attorney’s Office for the Northern District of Georgia has also filed criminal charges.