A former information technology specialist at Expedia has been charged with trading on nonpublic information he obtained by hacking the online travel agency’s head of investor relations and other senior executives.
The U.S. Securities and Exchange Commission said Jonathan Ly, 28, used his position in tech support to illegally trade Expedia stock options in advance of nine earnings and other news announcements from 2013 to 2016, generating nearly $350,000 in profits.
He allegedly accessed the email account of the head of investor relations to obtain a document that summarized Expedia’s earnings for a particular quarter and continued his scheme even after he left Expedia in April 2015.
To settle the SEC’s civil charges, Ly agreed to pay $375,907 in disgorgement and interest. In a parallel criminal case, he pleaded guilty Monday to securities fraud and agreed to repay Expedia the $81,592 it spent investigating his hack.
“The irony of our increasingly digital world is that the greatest threat to our networks is a human one,” Annette L. Hayes, the U.S. Attorney in Seattle, said in a news release. “In this case, an IT professional used his employer’s networks to facilitate a get-rich-quick scheme.”
Ly joined Expedia’s corporate IT services department as a senior support technician in March 2013. The job gave him access to IT administrative access privileges and employees’ network credentials and, according to the SEC, he discovered he could use them to hack into senior executives’ computers.
In addition to the head of investor relations’ pre-earnings reports for seven quarters, he accessed confidential information about an exclusive marketing agreement between Expedia and Travelocity and the Department of Justice’s approval of Expedia’s acquisition of Orbitz Worldwide before the public announcements of these events.
“Using the non-public information Ly executed a series of well-timed trades in Expedia stock options,” prosecutors said.
After resigning from Expedia, Ly allegedly kept a company laptop, allowing him to connect remotely to Expedia’s network and so continue stealing information contained in its computers and email accounts.