A former IT worker at Expedia has been found guilty of securities fraud after profiting on the stock market with information gleaned from sensitive internal documents.
Jonathan Ly exploited his position in the IT department of the firm’s Hotwire.com division to remotely access devices and email accounts belonging to the company’s CFO and head of investor relations to glean valuable insider information, according to CNNMoney.
That apparently enabled him to make a series of trades, netting profits of over $300,000.
Even after leaving the firm last year, Ly is said to have kept up his illegal account and device hacking activities after taking an Expedia laptop home with him. The IT professional is also said to have tried to cover his tracks by making it look as if Expedia employees were the ones accessing the devices.
Expedia is said to have finally caught the individual after three years by using “enhanced monitoring practices.”
The 28-year-old Ly will be forced to repay any profits he made from the crime as well as the $81,000 Expedia spent on the investigation, and could face jail time as securities fraud apparently carries a maximum sentence of 25 years behind bars and a $250,000 fine.
Rob Sobers, director at Varonis, argued that Expedia’s internal monitoring was wholly inadequate, as was its access management policies which enabled Ly to infiltrate corporate assets even after he left his role.
“Ly’s actions weren’t subtle. He used his IT service account to access files and emails belonging to the company’s CFO, Mark Okerstrom. If Expedia had employed user behavior analytics on its core IT infrastructure, those events would likely have sounded alarms immediately,” Sobers added.
“In addition, if Expedia had a built-in threat model that detects when accounts display suspicious email activity, such as reading other users’ inboxes or opening files that are atypical for their role, this could have been prevented.”