Equifax CEO steps down in wake of massive data breach

The credit monitoring agency's chief is leaving, effective immediately, just three weeks after disclosure of a hack that touches nearly half the US population.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Equifax Headquarters

Equifax has a long road ahead as it cleans up from a big data breach.

Smith Collection/Gado/Getty Images

The data breach at Equifax just cost the company's CEO his job.

The board of the credit-monitoring company said Tuesday that Richard Smith is stepping down, effective immediately. The departure comes three weeks after Equifax initially announced the breach.

While the full effects of the hack have yet to be determined, the potential for trouble is staggering. As one of three major credit agencies in the US, Equifax holds data on nearly every single American who has a credit card or has applied for a loan. 

Watch this: Equifax CEO resigns

"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith said in a statement to investors Tuesday. "I believe it is in the best interests of the company to have new leadership to move the company forward." 

In the breach, which Equifax first disclosed Sept. 7, hackers stole information -- including Social Security numbers, credit card numbers, names and addresses -- on up to 143 million Americans, or roughly half the US population. The company said it had failed to patch a security flaw that dated back to March.

The Equifax incident is among the largest hacks in US history and the biggest known leak of this year. In 2013, Yahoo is said to have lost data on roughly 1 billion accounts.

While Equifax sets its own house in order, the world at large has to reckon with a recurring wave of cybersecurity lapses and the seeming inability of businesses and government agencies to erect adequate defenses. Among the latest incidents: On Monday, consulting firm Deloitte said it had been hit with a cyberattack that may have revealed the emails of its high-powered clients, and the US Securities and Exchange Commission last week disclosed that a 2016 breach may have helped hackers pad their stock portfolios.

Smith isn't the only executive to leave in the cyberattack's wake. Equifax's chief information officer and chief security officer departed Sept. 15.

The new leadership at Equifax will start with interim CEO Paulino do Rego Barros Jr., who has been with the company for seven years and who had been overseeing its Asia Pacific department. Meanwhile, Equifax is searching for a permanent CEO. 

Barros will have to deal with the list of security issues that Equifax faces, as well as investigations by the Federal Trade Commission and Congress. Equifax will testify before Congress on Oct. 3, and Smith is still expected to appear, instead of the interim CEO, a spokesperson said.

According to Equifax's SEC filing, Smith won't receive his annual bonus with his retirement, and the board of directors is reviewing his retirement compensation. In 2016 and 2015, he received bonuses of $3 million, Equifax said. He was expected to get about the same amount this year, before he resigned. 

The former CEO will also not be receiving a $5 million severance package, because "his departure is by mutual agreement," an Equifax spokesperson said. But he'll still be getting $18.4 million in his pension benefits, the company said. 

In the company's statement Tuesday, Mark Feidler, the newly appointed non-executive chairman of the board, apologized for the incident. Wall Street firm Cowen said the board's words and actions set "the right tone" ahead of some hard sessions in Washington.

"This is the type of mea culpa that plays well on Capitol Hill," said Jaret Seiberg of Cowen Washington Research Group in a report Tuesday. "These hearings will still be brutal with Democrats and Republicans on the attack. ... So there is still a risk that Equifax is perceived as not doing enough."

The company faces a number of questions about its handling of the data breach, including why it waited more than a month to warn victims. In addition, its chief financial officer, John W. Gamble Jr., sold $1.8 million in Equifax shares just a few days after the company learned about the breach on July 29, weeks before it was announced to the public. 

There have also been concerns raised about its hack checker and the spoofed support URL Equifax accidentally tweeted out.

On the legal front, the Massachusetts attorney general is suing the company, and class action lawsuits have popped up in both Georgia and Oregon.

The issues raised in Equifax's response could have been a major factor in Smith's departure, said Chris Pierson, a chief security officer at Viewpost, an electronic payments company. The CEO change provides an opportunity for Equifax to appoint a security-minded leader.

"Every company depends upon a strong cybersecurity culture and it starts at the top," Pierson said. 

Along with Smith's departure, Equifax said it's creating a special committee to deal with its breach and to manage cybersecurity incidents in the future.

"The Board remains deeply concerned about and totally focused on the cybersecurity incident," Feidler said. "We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again."

First published Sept. 26, 6:28 a.m. PT.
Updates, 6:55 a.m.: adds background information and details 8:40 a.m.: adds analyst comment 9:05 a.m.: adds response from Equifax 1:34 p.m.: adds details on Smith's severance deal.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.