Ex-Expedia IT worker hacked firm to commit insider trading after he left

The power of a stolen company laptop is real!

David bisson
David Bisson

Ex-Expedia IT worker hacked firm to commit insider trading after he left

A former employee of Expedia has admitted he stole private information from executives at his former employer to commit insider trading.

Jonathan Ly, 28, of San Francisco, California pleaded guilty to security fraud after the United States Securities and Exchange Commission (SEC) brought charges against him.

SEC alleges the conspiracy began back in March 2013 when Ly was still a Senior IT Support Technician at the Bellevue-based travel company. In that capacity, Ly was granted IT administrative access privileges sometimes received Expedia employees’ network credentials so that he could help them with technology issues on their devices.

Sign up to our free newsletter.
Security news, advice, and tips.

Ly knew he could access an employee’s computer only with their permission and/or for an authorized business purpose. But that didn’t stop him. Not in the slightest.

As SEC explains in its complaint:

“In or about July 2013, Ly discovered that he could electronically intrude without authorization (‘hack’) into Expedia senior executives’ company computers by using Expedia’s IT administrative access privileges. Through his hacks, Ly repeatedly viewed the contents of electronic documents maintained by Expedia executives on their company computers, including the files of the Chief Financial Officer (‘CFO’) and the Head of Investor Relations, without anyone’s knowledge or permission….”

For two years, Ly continued to hack company computers and email accounts. He even continued to do so after he voluntarily left the company in April 2015. How? Unbeknownst to his former employer, he kept a laptop given to him by Expedia that allowed him to access the company’s internal network.

Ly ultimately used the information he stole to execute several well-timed securities trades in Expedia’s options. Those deals netted him a profit in excess of US $331,000.

Screen shot 2016 12 09 at 12 58 25 pm

Yeah… but the thief’s golden days were never meant to last.

As the former employee continued to access the corporate network, CNN reports that Expedia eventually detected the conspiracy via the help of “enhanced monitoring practices [it] had in place.” The travel corporation then worked with law enforcement to put a stop to the illegal activities.

Ly will pay Expedia more than US $375,000 to cover the amount he stole plus interest. He has also agreed to hand over another US $81,592 that the company spent on investigating his crimes.

That plea agreement notwithstanding, the former IT technician is still in the thick of it. Ly faces 25 years in prison for his crimes as well as a US $250,000 fine. He is scheduled to received his sentence on 28 February 2017.

This case, along with those involving FIN4 and a group of newswire hackers, demonstrates the determination of the SEC to punish those who engage in insider trading.

But at the end of the day, no organization wants to go through a criminal investigation into one of its employees.

That’s why companies should try to prevent malicious insiders like Ly from running amok in their network. They can do so by reviewing the audit log of administrator accounts on a regular basis, making sure they revoke passwords, and collect all company-issued devices from an ex-employee before they leave the building.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Ex-Expedia IT worker hacked firm to commit insider trading after he left”

  1. Simon

    This incident flags two things;

    It's people like these that tarnishes the industry, and

    highlights the inefficiencies in Expedia's Asset and Identity Management when people depart from the organisation.

    Having said that, he could've siphoned sensitive/confidential information in other ways during his tenure and still committed nefarious activities.

  2. Mordac

    "Ly was granted IT administrative access privileges sometimes received Expedia employees' network credentials" [sic]

    That's a 101-ism, surely. Does a company the size of Expedia really not drum into all employees that they should never, ever, under any circumstances share their passwords with anyone else?

    1. Simon · in reply to Mordac

      Any IT policy worth it's salt would stipulate that and everyone 'should' know the possible consequences by sharing/giving out passwords… But hey, silly things like these keep happening.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.