The former Equifax employee used confidential information to make profits
In August 2017, a project under the codename “Sparta” was granted to Sudhakar Reddy Bonthu, a production development manager who collaborated with Equifax’s software management team, according to reports of digital forensics specialists from the International Institute of Cyber Security.
Bonthu’s bosses told him that the project was for one of the company’s clients; the process involved building an online user interface that would allow the own consumer clients to determine if their information had been put at risk due to massive data breach at Equifax. Bonthu was not told the client’s name, but he was indeed informed that the project had a really high priority, and that it should be ready to begin its operations by September 26, 2017.
Bonthu, however, did not need his superiors in Equifax to inform him of the name of that confidential client, as he discovered it by his own means.
While working on the project, Bonthu received emails and participated in conversations that informed him that the security breach affected at least 100 million consumers, and that the personal information involved included names, addresses, phone numbers, birth dates and social security numbers.
At the end of August 2017, Bonthu also received an email copy containing an attached datatest file. The file was named “EFXDatabreach. postman_collection”. Bonthu deduced, correctly, that the Sparta project was not about creating a security breach disclosure website for one of Equifax’s clients, as his bosses had told him, but that the site was for Equifax itself, as reported by experts in digital forensics.
Armed with confidential information, Bonthu used a brokerage account on behalf of his wife and purchased 86 “selling options” In Equifax’s shares, a direct violation of the company’s policies. When buying selling options, Bonthu could only make money if the market price of Equifax’s shares had fallen before September 15, 2017.
Bonthu sold all of his sales options on Sept. 8, the day after Equifax announced that the security breach had affected approximately 143 million of US consumers, with which the prices of its shares entered into freefall; that caused Bonthu’s initial investment of $2166 USD to be converted to $77 333 USD in just six days.
Bonthu, 44 years old and living in Atlanta, Georgia, refused to cooperate with an internal investigation of Equifax, and was subsequently fired. The former development manager got to avoid his stay in prison, but was sentenced to eight months of home confinement. In addition, he was given a fine of $50k USD and ordered to deliver the generated earnings derived from insider trading.
“Bonthu intentionally took advantage of the information that was entrusted to him to gain a quick profit”, said US Attorney Byung Pak. “The integrity of stock markets and investor confidence have been harmed by those who use private information for personal gain”.
As digital forensics specialists reported at the time, Equifax suffered a massive data breach last year between mid-May and late July, exposing highly sensitive information of up to 145 million people in the US, including victims’ names, birth dates, phone numbers, drivers license details, addresses and social security numbers.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.