A former employee of Expedia has admitted he stole private information from executives at his former employer to commit insider trading.
Jonathan Ly, 28, of San Francisco, California pleaded guilty to security fraud after the United States Securities and Exchange Commission (SEC) brought charges against him.
SEC alleges the conspiracy began back in March 2013 when Ly was still a Senior IT Support Technician at the Bellevue-based travel company. In that capacity, Ly was granted IT administrative access privileges sometimes received Expedia employees’ network credentials so that he could help them with technology issues on their devices.
Ly knew he could access an employee’s computer only with their permission and/or for an authorized business purpose. But that didn’t stop him. Not in the slightest.
As SEC explains in its complaint:
“In or about July 2013, Ly discovered that he could electronically intrude without authorization (‘hack’) into Expedia senior executives’ company computers by using Expedia’s IT administrative access privileges. Through his hacks, Ly repeatedly viewed the contents of electronic documents maintained by Expedia executives on their company computers, including the files of the Chief Financial Officer (‘CFO’) and the Head of Investor Relations, without anyone’s knowledge or permission….”
For two years, Ly continued to hack company computers and email accounts. He even continued to do so after he voluntarily left the company in April 2015. How? Unbeknownst to his former employer, he kept a laptop given to him by Expedia that allowed him to access the company’s internal network.
Ly ultimately used the information he stole to execute several well-timed securities trades in Expedia’s options. Those deals netted him a profit in excess of US $331,000.
Yeah… but the thief’s golden days were never meant to last.
As the former employee continued to access the corporate network, CNN reports that Expedia eventually detected the conspiracy via the help of “enhanced monitoring practices [it] had in place.” The travel corporation then worked with law enforcement to put a stop to the illegal activities.
Ly will pay Expedia more than US $375,000 to cover the amount he stole plus interest. He has also agreed to hand over another US $81,592 that the company spent on investigating his crimes.
That plea agreement notwithstanding, the former IT technician is still in the thick of it. Ly faces 25 years in prison for his crimes as well as a US $250,000 fine. He is scheduled to received his sentence on 28 February 2017.
But at the end of the day, no organization wants to go through a criminal investigation into one of its employees.
That’s why companies should try to prevent malicious insiders like Ly from running amok in their network. They can do so by reviewing the audit log of administrator accounts on a regular basis, making sure they revoke passwords, and collect all company-issued devices from an ex-employee before they leave the building.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.