Expedia IT guy made $300,000 by hacking own execs

Watch this hacker break into a company
Watch this hacker break into a company

A former Expedia IT professional admitted on Monday to illegally trading on secrets he discovered by hacking his own company's senior executives.

Jonathan Ly stole passwords and infiltrated devices of Expedia's (EXPE) chief financial officer and head of investor relations, allowing him to make a series of "highly profitable" trades in stock options that scored him $331,000, according to prosecutors.

Ly, a senior IT technician in Expedia's Hotwire.com division, pleaded guilty to securities fraud in U.S. District Court in Seattle. The 28-year-old will have to repay the illegal profits he made from insider trading.

Prosecutors say that between 2013 and 2016, Ly exploited his ability to remotely access electronic devices used by Expedia execs to access documents and emails containing confidential information.

For instance, the SEC said Ly targeted information prepared by Expedia's head of investor relations summarizing how the market may react to certain announcements.

Access to that kind of secret info before it's publicly released can be very valuable, given how news can cause stocks to move dramatically.

Related: Hacks at Russian central bank cost 2 billion rubles

U.S. Attorney Annette Hayes said in a statement that an FBI investigation revealed that Ly "used his employer's networks to facilitate a get-rich-quick scheme."

Ly's lawyer, John Runfola, said his client is "deeply sorry" and noted that he is a young man who came from an "impoverished background."

"He has certainly learned his lesson," Runfola told CNNMoney.

According to the authorities, the insider trading scheme continued even after he left Expedia last year. They say Ly kept an Expedia laptop without the knowledge of his company and continued to access devices and email accounts used by senior company execs to trade. Prosecutors say Ly even made it appear that other Expedia employees were the ones using the devices.

Ly faces potential jail time as securities fraud is punishable by up to 25 years in prison and a $250,000 fine. He is scheduled to be sentenced on February 28, 2017.

Hayes said Expedia quickly contacted the FBI when it discovered the scheme.

Expedia said in a statement to CNNMoney that it detected the intrusion by using "enhanced monitoring practices we had in place." The company said it "worked closely with law enforcement authorities to identify, track pursue and put a halt to these activities."

Related: Hackers destroy computers at Saudi aviation agency

Ly has agreed to repay Expedia for the $81,592 the company spent investigating the computer intrusion.

The SEC settlement, subject to court approval, requires Ly to pay $375,907, including interest.

Jay Tabb Jr., the FBI special agent in charge, said this case was "particularly egregious" because Ly violated the "trust of the public" as well as "violated the privacy of fellow employees."

CNNMoney Sponsors