In August 2017, Sudhakar Reddy Bonthu, a production development manager in Equifax’s software management team was given a project codenamed “Sparta.”
Bonthu’s bosses told him that the project was for one of the company’s clients, and involved building an online user interface that would allow the client’s own customer to determine if they had been put at risk by the breach.
Bonthu was not told the name of the client, but was informed that the project was a high priority and needed to be ready to go live by September 26th 2017.
Bonthu, however, didn’t need to be told the name of the client. He worked it out for himself.
While working on the project he received emails and participated in conversations that informed him the breach impacted at least 100 million consumers, and the personal information breached included first and last names, addresses, phone numbers, dates of birth, and social security numbers.
At the end of August 2017, Bonthu was also copied on an email that contained a test dataset file. The file was named “EFXDatabreach.postman_collection”
Bonthu deduced correctly that Project Sparta wasn’t about building a breach disclosure website for one of Equifax’s clients as his bosses had told him, but for Equifax itself.
Armed with the sensitive information, Bonthu used a brokerage account in his wife’s name and purchased 86 “put options” in Equifax stock – a direct breach of Equifax’s policies.
By buying “put options,” Bonthu could only make money if the market price of Equifax stock were to drop by September 15 2017.
Bonthu sold all of his put options on September 8, the day after Equifax announced its data breach had impacted approximately 143 million US consumers, sending its share price into freefall – and turning Bonthu’s initial investment of $2,166.11 into $77,333.79 in just six days.
44-year-old Bonthu, of Atlanta, Georgia, declined to co-operate with an internal Equifax investigation, and was subsequently fired.
The former development manager has avoided imprisonment, but has been sentenced to eight months of home confinement. In addition he was fined $50,000 and ordered to forfeit his profits from the insider trading.
“Bonthu intentionally took advantage of information entrusted to him in order to make a quick profit,” said US Attorney Byung Pak. “The integrity of the stock markets and the confidence of investors are impaired by those who use nonpublic information for personal gain.”
Bonthu is not the only Equifax employee to have been charged with insider trading in relation to the company’s data breach. In March, Equifax’s ex-chief information officer for its US information solutions business was charged after allegedly selling $1 million worth of stock, and eyebrows were raised last year after three senior executives sold a combined $1.8 million worth of Equifax shares just days after the credit reporting agency discovered the data breach.