Equifax boss guilty of exploiting data breach disclosure delay


A former Equifax boss has pleaded guilty to having used insider trading to benefit from the delayed reporting of the massive data breach suffered by the credit reporting agency in the early summer of 2017.

On September 7th 2017, Equifax disclosed that between mid-May and July of the same year, the firm had suffered a major data breach. Hackers had exploited a vulnerability in the company’s website application to steal the personal private information of up to 145.5 million US customers – data such as social security numbers, birth dates, addresses, names, email addresses and other sensitive details.

While any company can suffer a data breach, the real controversy lay over Equifax’s decision to wait six weeks before revealing that the hack had taken place.

News broke in Atlanta recently, of a former Equifax executive who pleaded guilty to insider trading after using the delay to report the data breach to his advantage.

According to prosecutors, former chief information officer at Equifax’s US Information Systems, Jun Ying, sold his company stock in late August 2017 after finding out about an intrusion which he knew would have massive implications for the firm’s market performance.

When the breach was disclosed the following month, Equifax shares plummeted in value.

The sooner an intrusion is reported to regulatory bodies, the sooner action can be taken to strengthen security and restore order, mitigate damage suffered by victims, and investigate any criminal element that may be at large.

The reasoning helps to explain why the GDPR obliges organisations that deal with the data of EU-based citizens to report a data breach within 72 hours of its discovery.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/