Richard Smith has exited the Equifax building - mostly.
The embattled CEO and chairman of the Equifax board has retired, effective immediately, the Atlanta-based credit bureau's board of directors announced Tuesday. But he'll remain in an unpaid capacity, the board says, "to serve as an unpaid adviser to Equifax to assist in the transition" as it seeks a new CEO.
"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith says in a statement. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Equifax suffered a record breach, which it publicly disclosed Sept. 7, of sensitive data relating to 143 million U.S. consumers, whose details Equifax and other data brokers sell as a product. If past breaches are any guide, these data breach victims will likely see little if any compensation from Equifax over the breach, and yet be at heightened risk of identity theft for the rest of their lives.
The FBI has launched a criminal investigation into the hack of Equifax. The company says it was breached after attackers exploited a vulnerability in its Apache Struts web platform that Equifax failed to patch, despite a security update being available.
Equifax is now facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, inquiries from regulators in Canada and the United Kingdom, consumer lawsuits in the United States and Canada, as well as what will likely be multiple lawsuits by financial services firms and card brands trying to recover card-reissuing and fraud costs (see Credit Union Sues Equifax Over Breach-Related Fraud Costs).
Many security watchers had been calling for Smith to resign - or else for the board to fire him - over the company's failure to safeguard sensitive consumer data.
Smith's Sept. 26 "retirement" follows Equifax announcing on Sept. 15 that its then-current CIO David Webb and CSO Susan Maudlin would be retiring. Equifax's curious choice of language, and apparent attempt to spin the departure of key technology executives with apparent breach responsibility as a retirement - rather than firing for cause - led some observers to question whether the credit reporting agency was taking its breach seriously enough.
The jettisoning of Smith looks like belated damage control for the credit reporting bureau, which on Sept. 7 issued a public notification for a data breach that apparently began in March and which the company detected four months later, in late July.
Equifax says the breach exposed:
143 million U.S. consumers' personal details, including names, birthdates, addresses, Social Security numbers and in some cases driver's license numbers;
Payment card details for 209,000 U.S. consumers' payment card Documents relating to credit disputes, containing personal information for 182,000 U.S. consumers.
400,000 British consumers' personal details, which the company was accidentally storing on its U.S. servers.
100,000 Canadian consumers;
In Smith's place, the board has appointed Paulino do Rego Barros, Jr., who most recently served as president of Asia Pacific for Equifax, and who has worked at the company for seven years, as its interim chief executive officer, succeeding Smith.
Equifax board member Mark Feidler has been appointed as non-executive chairman of the board, which will undertake a search for a new CEO.
"The board remains deeply concerned about and totally focused on the cybersecurity incident," Feidler says in a statement. "We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again.
"Speaking for everyone on the board, I sincerely apologize. We have formed a special committee of the board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken."
Smith was due to testify Oct. 3 before the U.S. House Energy and Commerce Committee, and other lawmakers had signaled that they also planned to call Smith to testify.
Equifax did not immediately respond to a request for comment about whether Smith would still be testifying on the company's behalf before Congress.
Ssome have suggested that the Equifax breach might serve as a watershed moment, leading Congress to pass new legislation to regulate data brokers such as Experian, Equifax and TransUnion, and hold them to account - perhaps via significant fines - if they mishandle U.S. consumers' personal data. But the Republican-controlled Congress has signaled that it will not pass any such laws (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Poster Child for Bad Breach Response
While any company can potentially be breached, Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, says Equifax has set a new standard for how to mishandle not just organizational cybersecurity and governance, but also breach response.
"The CEO and his team of internal and external providers bungled every step of the response: messaging, PR, consumer protection communications and offers, and everything else imaginable," Pierson tells Information Security Media Group. "The breach is a shining example of what happens when you do not prepare for data breach response ahead of time, do not adequately table top your responses, and do not have that single incident commander leading the charge."
While Equifax's stock price took a dive after the breach was announced, it has recently regained some of its value. In general, breached businesses suffer no long-term stock damage, excepting a handful of exchanges that have been driven into bankruptcy after hackers stole all of their cryptocurrency, as well as Yahoo, which had the misfortune to discover not one, but two, massive breaches after Verizon bid for the firm last year.
Verizon subsequently closed the deal after negotiating a $350 million discount, then jettisoned Yahoo's entire senior management team.
Even so, Yahoo's now-former CEO, Marissa Mayer, walked away with at least $250 million following the Verizon deal.
Officials at Equifax, which is a publicly traded firm, could not be immediately reached for comment on the details of Smith's departure, including any severance agreement or golden parachute that he may have received.