Sat | Oct 20, 2018

Equifax CEO retires amid probe

Published:Wednesday | September 27, 2017 | 12:00 AM
The Equifax Inc headquarters in Atlanta, Georgia.

Equifax CEO Richard Smith retired effective immediately on Tuesday, as the credit reporting agency tries to clean up the mess left by a damaging data breach that exposed highly sensitive information about 143 million Americans.

His departure follows those of two other high-ranking executives after Equifax disclosure that hackers exploited a software flaw that the company didn't fix to access people's Social Security numbers, birth dates and other personal data that provide the keys to identify theft.

Smith, who had been Equifax's CEO since 2005, will also step down from the chairman post. Paulino do Rego Barros Jr, most recently president of the Asia Pacific region, was named interim CEO, while board member Mark Feidler was appointed non-executive chairman. Equifax said it will look both inside and outside the company for a permanent CEO.

Equifax said Smith was retiring, but will not receive his annual bonus and other potential retirement-related benefits until the company's board concludes an independent review of the data breach. If the review does not find Smith at fault, he could walk away with a retirement package of at least US$18.48 million, along the value of the stock and options he was paid out over his 12-year tenure.

Even with the departures of three top executives, Equifax is still facing several inquiries and class-action lawsuits, including Congressional investigations, queries by the Federal Trade Commission and the Consumer Financial Protection Bureau, as well as several state attorneys general.

Three executives, none of them among those who have left, were found to have sold stock for a combined US$1.8 million before Equifax disclosed the most serious breach, though the company says they were unaware of it at the time.

Although analysts had previously applauded Equifax's performance under Smith, he and the rest of his management team had come under fire for lax security and its response to the breach. Confusion over the terms of credit-monitoring protection and jammed phone lines added to people's ire. Its stock has lost a third of its value a US$5.5 billion setback.

The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts. Even though a repair was released, Equifax didn't immediately install it. Digital burglars used the crack in Equifax's computer systems to break in from May 13 through July 30, according to the company's accounting.

Equifax said it didn't fathom the breadth of information that had been stolen until shortly before issuing a public alert on September 7, triggering the wave of withering condemnations that has led to Smith's departure.

- AP