Equifax Engineer Who Designed Breach Website Charged With Insider Trading

Equifax

The US Securities and Exchange Commission (SEC) has indicted a former Equifax engineer on charges of insider trading.

According to court documents, Sudhakar Reddy Bonthu, 44, of Cumming, Georgia, worked for Equifax between September 2003 and March 2018.

Starting September 2013, Bonthu worked as Production Development Manager of Software Engineering in Equifax’s Global Consumer Solutions (GCS) business unit. Bonthu’s job involved creating software for Equifax’s internal use, but also for its clients.

Bonthu worked on Equifax’s breach website

In August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu’s bosses described as a major project for one of the company’s clients who suffered a major breach that exposed details of over 100 million users.

Unknown to Bonthu, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users.

Bonthu was tasked with creating “an online user interface into which users could input information to determine whether they had been impacted by the breach.”

According to court documents, he was told that “the project was a high priority for the unnamed company and had a short deadline because the client intended to ‘go live’ on September 6, 2017, with the breach remediation applications designed by Equifax.”

Bonthu realized on his own the breached company was Equifax

To create the website, which later turned out to be equifaxsecurity2017.com, Bonthu was given test data and was included in mailing lists exchanging information about the still-secret breach.

SEC investigators say that Bonthu concluded on his own that the secret client in Project Spart was Equifax itself.

Using this information, the SEC says Bonthu used his wife’s brokerage account to sell Equifax stock and eventually made more than $75,000, a return of more than 3,500% on his initial investment.

In his wife’s account, Bonthu purchased eighty-six out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share. Bonthu made this purchase despite the fact that Equifax’s
policies expressly prohibit any trading in derivative securities, including put and call options.

By purchasing out-of-the-money put options, Bonthu could make money only if the market price of Equifax stock were to drop below the put option strike price before the contract expired approximately two weeks later, on September 15.  If the market price did not so drop, the put options would expire and his investment would be worthless.

The strike price of $130 per share was more than $10 below the price at which Equifax common stock traded on that day.

The total price of the Equifax option contracts purchased by Bonthu on September 1 was $2,166.11.

On September 8, the price of Equifax common stock closed at $123.23, a drop of $19.49 (nearly 14%) per share from the prior day’s closing price of $142.72. […] As a result of the precipitous drop in Equifax’s share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days. In sum, Bonthu’s ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500% on his initial investment.

The SEC says Bonthu had never previously traded in Equifax options.

Bonthu fired after refusing to cooperate with internal investigators

Equifax fired Bonthu in March 2018 after he refused to cooperate on an internal investigation on charges that he violated the company’s insider trading policy. He remained unemployed.

Bonthu has agreed today to a permanent injunction and to return ill-gotten gains plus interest.  If the settlement is approved by a judge, this will terminate SEC civil charges.

He is the second Equifax employee charged with insider trading after Equifax’s breach last year. The SEC also charged former Equifax CIO, Jun Ying, in March this year.

The equifaxsecurity2017.com website, on which Bonthu worked, has been deemed one of the most poorly put together breach notification sites in recent years, with several issues affecting it.