Updated 5:15 p.m. with statement from Jonathan Ly’s attorney
A former IT technician for Expedia subsidiary Hotwire pleaded guilty Monday morning to allegations of breaking into employee accounts and stealing sensitive information from documents and emails that he used for insider trading.
According to charges filed last week in U.S. District Court of Western Washington, Jonathan Ly used information he got from accounts as high up as the company’s chief financial officer and head of investor relations to pocket $331,000 from stock trades between 2013 and late 2015, surrounding events such as quarterly earnings reports, and the acquisitions of Travelocity and Orbitz.
“A former Expedia, Inc. employee has been prosecuted for unlawfully using his administrative privilege to gain access to company information that enabled him to trade Expedia stock for profit,” Expedia said in a statement.
Ly will be sentenced for a single count of securities fraud in February. He will have to pay $81,592 in restitution to Expedia, and he also agreed to pay $380,000 to the U.S. Securities and Exchange Commission. The maximum penalty for securities fraud is 25 years in prison and a $250,000 fine, according to the U.S. Attorney’s office, but Ly’s sentence will be determined by the circumstances of the case.
Ly’s attorney, John M. Runfola, issued the following statement on the case:
Mr. Ly is deeply sorry for the activity he engaged in and the people and corporation he has impacted. He has admitted his guilt, agreed to pay Expedia restitution for the cost of their investigation and has signed a civil settlement with the SEC agreeing to return any and all profits he made. At age 28, he is looking forward to accepting any additional punishment the court feels is necessary at his sentencing scheduled for early next year so he can move on with his life in a positive direction.
As a “senior IT support technician” based in San Francisco, Ly routinely had access to Hotwire and Expedia employee login information and devices. Ly allegedly used those credentials to break into company files to get information he later used in stock transactions.
“By exploiting his administrative access privileges, he could not only access a remote Expedia employee’s electronic device, he could also open and view the content of any electronic files that were saved locally to that device without knowledge of the Expedia employee,” according to court documents.
Ly allegedly went even further than that, when in 2014, according to court documents, he started using an IT administrative service he was not authorized on that allowed him to get even more access to employee accounts, including individual emails. Court documents say Ly tried to cover his tracks by using login credentials of other employees when using the service to look at sensitive information.
Ly’s alleged acts didn’t end when he left the company in April 2015, court documents say. Ly kept a company-issued laptop that could connect to Expedia’s network, and he used other employees’ login information to continue breaking into Expedia files and emails.
Expedia said it detected Ly’s alleged actions through “enhanced monitoring practices we had in place. Expedia worked closely with law enforcement authorities to identify, track, pursue, and put a halt to these activities.”
Ly’s legal team did not immediately respond to a request for comment.
Here is Expedia’s full statement on the case:
A former Expedia, Inc. employee has been prosecuted for unlawfully using his administrative privilege to gain access to company information that enabled him to trade Expedia stock for profit. Detection was achieved via enhanced monitoring practices we had in place. Expedia worked closely with law enforcement authorities to identify, track, pursue, and put a halt to these activities. Expedia has been and remains committed to a rigorous and continual improvement cycle for all elements of its security posture.
Below is the case against Ly from the U.S. Attorney’s office.