Forty-two-year-old Jun Ying, the former chief information officer of the company, is facing charges of insider trading after he allegedly sold over $950,000 worth of stock before the company announced its data breach that hit over 145 million Americans - or nearly half of the US population.
Equifax Chief Financial Officer John Gamble and three other executives sold shares worth a combined $1.8 million days after Equifax discovered suspicious activity on its network - and almost a month before Ying sold his shares - but Equifaxsaid an independent committee determined that these other executives did not know of the breach when their trades were made. Had he sold after the breach, he would have lost $117,000, according to a statement from the SEC.
In addition to the SEC complaint, Ying is facing criminal charges from the U.S. Attorney's Office for the Northern District in Georgia.
"Corporate insiders who learn inside information, including information about material cyber intrusions, can not betray shareholders for their own financial benefit", said Richard Best, Director of the SEC's Atlanta office.
The stock market regulator has charged Ying with violating the antifraud provisions of federal securities laws and is seeking "disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief".
The Atlanta firm is one "Big Three" credit agencies along with Experian and TransUnion.
He then allegedly sold those Equifax shares for total proceeds of more than $950,000. Workforce solutions president, Rodolfo Ploder, sold stock worth more than $250,000 on August 2.
After conducting its own investigation, the Equifax board concluded that none of the four executives knew of the breach when they made their trades.
On a Friday afternoon in late August, an email went out to several top executives at Equifax asking them to begin work immediately on an emergency project related to a "VERY large breach Opportunity", according to the SEC complaint. It was disclosed to the public on September 7.
As well as the American customers, information on up to 44 million British residents as well as 8,000 Canadian residents were also compromised.
Equifax had been aware of the breach since July 29, days before some of its senior executives, including its chief financial officer, sold US$1.8 million worth of company shares.
There was also a breach in March 2017, which was reported on September 18, 2017.