CEO steps down at Equifax
Credit reporting firm reeling in aftermath of major data breach.
NEW YORK — Equifax CEO Richard Smith stepped down Tuesday, less than three weeks after the credit reporting agency disclosed a damaging hack to its computer system that exposed highly sensitive information for about 143 million Americans.
His departure follows those of two other high-ranking executives who left in the wake of the hack, which exploited a software flaw that the company did not fix to expose Social Security numbers, birthdates and other personal data that provide the keys to identify theft.
Smith, who had been CEO since 2005, also will leave the chairman post.
Equifax said that Smith was retiring but would not receive his annual bonus and other potential retirement-related benefits until the company’s board concludes an independent review of the data breach. If the review does not find Smith at fault, he could walk away with a retirement package of at least $18.48 million, with the value of the stock and options he was paid out over his 12-year tenure. The board also could “claw back” any cash or stock bonuses he may have received, if necessary.
Smith, 57, who made almost $15 million in salary, bonuses and stock last year, will be able to stay on the company’s health plan for life.
Paulino do Rego Barros Jr., most recently president of the Asia Pacific region, was named interim CEO. Board member Mark Feidler was appointed non-executive chairman. Equifax said it will look both inside and outside the company for a permanent CEO.
Even with the departures of three top executives, Equifax is facing several inquiries and class-action lawsuits, including congressional investigations and queries by the Federal Trade Commission and Consumer Financial Protection Bureau, as well as several state attorneys general.
Three other executives were found to have sold stock for a combined $1.8 million before Equifax disclosed the most serious breach, though the company says they were unaware of it at the time.
Although analysts had previously applauded Equifax’s performance under Smith, he and his management team came under fire for lax security and their response to the breach. Confusion over the terms of credit-monitoring protection and jammed phone lines added to people’s ire. The company’s stock has lost a third of its value — a $5.5 billion setback.
Bart Friedman, a lawyer specializing in corporate governance issues for Cahill Gordon and Reindel, said Equifax’s board needed to dump Smith, not only as a public show of penance for the breach but also for the company’s bungling since informing consumers their identities were in danger of being stolen.
Equifax tried to appease incensed lawmakers, consumers and investors by announcing the unceremonious retirement of its chief security officer and chief information officer, who were responsible for managing and protecting the company’s technology. But that wasn’t enough, with lawmakers drawing up bills that would impose sweeping reforms on Equifax and rivals Experian and TransUnion.
The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts. Even though a repair was released, Equifax did not immediately install it.