Richard Smith’s departure takes effect immediately, making him the third Equifax official to leave after hackers compromised data for 143M consumers
Equifax CEO and Chairman Richard Smith stepped down Tuesday, becoming the latest executive of the credit-reporting giant to step down following a massive cyberbreach that compromised personal information for 143 million U. S. consumers.
Announcing that Smith’s retirement would take effect immediately, the company named current board member Mark Feidler to serve as non-executive chairman. Paulino do Rego Barros, a seven-year Equifax veteran who most recently served as president of Asia Pacific, was appointed as interim CEO, pending a search for a permanent successor in that post.
„The board remains deeply concerned about and totally focused on the cybersecurity incident,“ Feidler said in a statement issued with the announcement. „We are working intensely to support consumers and make necessary changes to minimize the risk that something like this happens again.“
Trading in Equifax shares was halted briefly before U. S. financial markets opened, pending the announcement.
Related: Cyber breach at Equifax could affect 143M U. S. consumers
Smith is the third executive whose Equifax career was ended by the cyberbreach and subsequent criticism of the company’s cybersecurity precautions — as well as its handling of consumer response after the hacking attack was discovered and announced.
The company announced on Sept. 15 that its chief information officer and the chief security officer were also retiring.
The data breach and botched handling of the post-crisis response has sent Equifax shares plunging.
A week after the Sept. 7 disclosure of the breach, the stock was down more than 37% from the $142.72 per share price before the cyberbreach. Equifax shares have since rebounded more than 17%. They closed at $105.09 Monday.
However, heading into Tuesday’s trading, the stock remained 26.4% lower than its pre-crisis price, representing a more than $4.5 billion loss of market value. Equifax shares were down nearly 1.1% at $103.98 in Tuesday morning trading.
Carried out by what the company characterized as criminal hackers, the unauthorized access to personal information for nearly 44% of the U. S. population occurred from mid-May through July 2017 and primarily involved names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, Equifax said.
Additionally, the hackers gained access to credit card numbers for roughly 209,000 consumers, plus certain dispute documents with personal identifying information for approximately 182,000 consumers.
Equifax also identified unauthorized access to limited personal information for certain residents of the United Kingdom and Canada.
The company has offered one year of free credit monitoring and identity theft protection to all consumers, regardless of whether they suffered specific financial damage following the cyberbreach.
However, the rollout of that offer was marred by electronic difficulties and other problems that made it difficult for consumers to determine quickly whether their personal data had been affected and slowed enrollments in the credit monitoring offer.
Equifax also has been peppered with questions about insider stock sales by three executives after the cyberbreach was discovered but before it was disclosed to consumers.
Regulatory filings show that On Aug. 1, Chief Financial Officer John Gamble sold shares with a market value of nearly $946,400, while Joseph Loughran, president of Equifax’s U. S. Information Solutions, exercised options to sell nearly $584,100.
Rodolfo Ploder, president of business unit Workforce Solutions, sold shares valued at nearly $250,500 on Aug. 2, the filings show. The three executives continued to hold tens of thousands of Equifax shares after the transactions.
Equifax said the officials „had no knowledge that an intrusion had occurred“ at the time they sold their shares.
Equifax has also faced questions about its handling of efforts to deal with the electronic vulnerability in an open-source application known as Apache Struts that enabled hackers to get in.
The U. S. government’s Computer Emergency Readiness Team disclosed the vulnerability in early March 2017. Equifax said that it „was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems“ in the electronic infrastructure.
„While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,“ the company said on Sept. 15.
Smith had been expected to answer questions about the cyberbreach and fallout during an Oct. 3 hearing by the House Subcommittee on Digital Commerce and Consumer Protection. The hearing was still scheduled as of Tuesday, but it was not immediately clear whether Smith or someone else from Equifax would testify.
Smith’s departure was „well past due,“ but represents a „weak second step“ after the earlier retirements of Equifax’s top information and security officials, said Jeffrey Sonnenfeld, the Yale School of Management’s senior associate dean for leadership studies.
„The buck stops in the corner suite,“ said Sonnenfeld, who questioned why Equifax has not moved to claw back recent bonuses awarded to Smith and the other departed executives.
„This is a mid-sized company with a devastatingly broad reach,“ added Sonnenfeld. „The errors are not due to wild unknowns in emerging technologies. The errors are basic management missteps in intelligent data management and crisis response.“
