NEW YORK (AP) — Equifax CEO Richard Smith is retiring effective immediately as the credit reporting agency tries to clean up the mess left by a damaging data breach that exposed highly sensitive information about 143 million Americans.
The shake-up announced Tuesday comes after Equifax disclosed that hackers exploited a software flaw that the company didn’t fix to heist Social Security numbers, birthdates and other personal data that provide the keys to identify theft.
Smith will also step down from the chairman post. He had been Equifax’s CEO since 2005. Paulino do Rego Barros Jr. was named interim CEO, while board member Mark Feidler was appointed non-executive chairman. Barros most recently served as president of the Asia Pacific region.
Equifax said that it will conduct a search for a permanent CEO, considering both internal and external candidates.
While the company said in a statement that Smith was retiring, Equifax said in a regulatory filing that it has not entered into any other arrangement or agreement with Smith in connection with his retirement. He will however, serve as an unpaid adviser to help with the transition process.
The company said in the filing that Smith will not receive his annual bonus, and his other potential retirement-related benefits won’t be awarded until Equifax concludes an independent review of the data breach.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in a statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Although many analysts had applauded Equifax’s performance under Smith, he and the rest of his management team had come under fire for lax security and its response to the breach.
Smith’s departure follows the abrupt retirement of Equifax’s chief security officer and chief information officer.
Equifax had tried to appease incensed lawmakers, consumers and investors on September 15 with the unceremonious retirement of its chief security officer and chief information officer who were responsible for managing and protecting the company’s technology.
But that wasn’t enough, with lawmakers drawing up bills that would impose sweeping reforms on Equifax and its two main rivals, Experian and TransUnion, and Equifax’s stock in a downfall that wiped out one third-of the Atlanta company’s value — a $5.5 billion setback.
Smith had been scheduled to appear Oct. 3 during a Congressional hearing that would likely have turned into a public lambasting. It’s not immediately clear whom Equifax will send in Smith’s place to face lawmakers’ wrath.
The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts. Even though a repair was released, Equifax didn’t immediately install it. Digital burglars used the crack in Equifax’s computer systems to break in from May 13 through July 30, according to the company’s accounting.
Equifax said it didn’t fathom the breadth of information that had been stolen until shortly before issuing a public alert on September 7, triggering the wave of withering condemnations that has led to Smith’s departure.
The jobs of other Equifax executives could still be in jeopardy. Three of them, including Equifax’s chief financial officer, are under scrutiny for selling some of their company shares for a combined $1.8 million before the breach disclosure hammered Equifax’s stock.
Smith’s departure also won’t make life any easier for most of the U.S. adult population who had their information accessed through no fault of their own, but now have to worry about impostors assuming their identities to obtain credit cards and apply for loans so they can run up huge bills.
Equifax Inc. is providing a year of free protection against identify theft for anyone who wants it, but some lawmakers are trying to pressure the company into extending that offer for the next decade. Some experts say that still isn’t enough to guard against identify theft and are advising consumers to put a freeze on their files at Equifax, Experian and TransUnion to prevent anyone from getting a loan under their names.
A credit freeze though creates its own headaches since it also prevents the person making it from getting a new credit card, mortgage, auto loan or even an expensive smartphone paid through monthly installments. It also costs money to do at Experian and TransUnion in most states. Equifax is temporarily waiving its normal fee for credit freeze as another part of its effort make amends for its security breakdown.