Expedia IT tech made $330K by secretly accessing execs’ files for insider trading

He even tried to pin it on other employees by using their corporate network credentials; he got away with it from 2013 to 2016, but eventually pleaded guilty to securities fraud.

Lots of IT techs have access to network credentials to access company files and emails, but it wouldn’t cross the minds of most to abuse that knowledge for a “get-rich-scheme” in the flavor of insider trading. Yet that doesn’t apply to everyone, since a 28-year-old admitted to exploiting his position in order to gain insider knowledge and illegally trade and profit from those secrets.

Jonathan Ly, a former IT tech for Expedia, pleaded guilty to securities fraud – something FBI Special Agent in Charge Jay S. Tabb, Jr. called, “Particularly egregious because Mr. Ly abused his special access privileges as an IT administrator. On top of violating the trust of the public and his company, he violated the privacy of fellow employees by surreptitiously accessing their files.”

From 2013 to 2015, Ly worked for Expedia as a Senior IT Support Tech from Hotwire’s San Francisco office. He had administration access privileges so he could remotely access electronic files on Expedia devices as well as corporate computer network passwords.

Even after he left Expedia in 2015, he secretly took a corporate laptop so he could continue accessing non-public information. This allowed Ly to “execute a series of well-timed and lucrative securities trades,” which made him over $331,000 net profits.

According to a court document, in 2013, Ly discovered he could exploit his admin privileges to remotely open and view electronic files that were saved locally on Expedia devices. He repeatedly tapped into documents on devices belonging to Expedia’s chief financial officer and its head of investor relations without their knowledge or permission.

By 2014, Ly found out about an IT admin service account which allowed him higher access privileges so he could snoop on employee corporate accounts and emails. Ly used the network credentials of other employees so the intrusions wouldn’t point back at him.

When he left in April 2015, he kept his Expedia laptop so he could still remotely access the company’s networks. He also continued to use other corporate network credentials so accessing computers and emails accounts of Expedia executives couldn’t be pinned on him.

In case you didn’t know, Expedia is huge; its brands include Hotwire, Hotels.com, CheapTickets, CarRentals.com, HomeAway and many more. Just while Ly worked for Expedia, it acquired trivago, Wotif, Travelocity and Orbitz.

The Securities and Exchange Commission (SEC) said, “Ly targeted information prepared by Expedia's head of investor relations summarizing how the market may react to certain announcements.” CNN added, “Access to that kind of secret info before it's publicly released can be very valuable, given how news can cause stocks to move dramatically.”

Once Expedia finally discovered the intrusion, the company turned to the FBI. The FBI conducted a forensic investigation. Although Ly had gotten away with this for years, from 2013 to 2016, the DOJ credited Expedia for its “quick reporting” of the breach which helped the FBI trace the intrusion to Ly. As part of a plea agreement, Ly will pay Expedia the $81,592 the company spent on investigating the intrusion.

The Justice Department noted that Ly pleaded guilty to securities fraud, but also “faces a separate Securities and Exchange Commission action requiring him to pay back the more than $331,000 in profits he made in the scheme.”

25 years in prison and a $250,000 fine is the maximum penalty allowed by law for securities fraud. The sentencing for Ly’s criminal case is scheduled for February 28, 2017.

Ly’s attorney, John Runfola, told CNN that Ly is “deeply sorry” and that he came from an “impoverished background.”

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)