Equifax CEO Richard Smith Out​ After Criticism Over Lax Security, Response To Breach

ATLANTA, GA — Hackers stole sensitive personal data of about 143 million Americans in an Equifax cybersecurity attack, and the credit reporting agency's CEO Richard Smith is retiring effective immediately.

Smith is also stepping down from his chairman position. The shake-up, announced Tuesday, comes after Equifax revealed hackers exploited a software flaw — that the company didn't fix — to steal highly sensitive personal information that are key to identify theft.

Smith had been Equifax's CEO since 2005. Paulino do Rego Barros Jr. was named interim CEO and board member Mark Feidler was appointed non-executive chairman. Barros most recently served as president of the Asia Pacific region. (For more information on the Equifax data breach and other Atlanta stories, subscribe to Patch to receive daily newsletters and breaking news alerts. If you have an iPhone, click here to get the free Patch iPhone app.)

Equifax said that it will conduct a search for a permanent CEO, considering both internal and external candidates.

While the company said in a statement that Smith was retiring, Equifax said in a regulatory filing that it has not entered into any other arrangement or agreement with Smith in connection with his retirement. He will however, serve as an unpaid adviser to help with the transition process.

The company said in the filing that Smith will not receive his yearly bonus, and his other potential retirement-related benefits won't be awarded until Equifax concludes an independent review of the data breach.

"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith said in a statement. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."

Although many analysts had applauded Equifax's performance under Smith, he and the rest of his management team had come under fire for lax security and its response to the breach.

Smith's departure follows the abrupt retirement of Equifax's chief security officer and chief information officer.

Equifax had tried to appease incensed lawmakers, consumers and investors on Sept. 15 with the unceremonious retirement of its chief security officer and chief information officer, who were responsible for managing and protecting the company's technology.

But that wasn't enough, with lawmakers drawing up bills that would impose sweeping reforms on Equifax and its two main rivals, Experian and TransUnion, and Equifax's stock in a downfall that wiped out one third-of the Atlanta company's value — a $5.5 billion setback.

Smith had been scheduled to appear Oct. 3 during a Congressional hearing that would likely have turned into a public lambasting. It's not immediately clear whom Equifax will send in Smith's place to face lawmakers' wrath.

The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts. Even though a repair was released, Equifax didn't immediately install it. Digital burglars used the crack in Equifax's computer systems to break in from May 13 through July 30, according to the company's accounting.

Equifax said it didn't fathom the breadth of information that had been stolen until shortly before issuing a public alert on Sept. 7, triggering the wave of withering condemnations that has led to Smith's departure.

The jobs of other Equifax executives could still be in jeopardy. Three of them, including Equifax's chief financial officer, are under scrutiny for selling some of their company shares for a combined $1.8 million before the breach disclosure hammered Equifax's stock.

Smith's departure also won't make life any easier for most of the U.S. adult population who had their information accessed through no fault of their own, but now have to worry about impostors assuming their identities to obtain credit cards and apply for loans so they can run up huge bills.

Equifax Inc. is providing a year of free protection against identify theft for anyone who wants it, but some lawmakers are trying to pressure the company into extending that offer for the next decade. Some experts say that still isn't enough to guard against identify theft and are advising consumers to put a freeze on their files at Equifax, Experian and TransUnion to prevent anyone from getting a loan under their names.

A credit freeze though creates its own headaches since it also prevents the person making it from getting a new credit card, mortgage, auto loan or even an expensive smartphone paid through monthly installments. It also costs money to do at Experian and TransUnion in most states. Equifax is temporarily waiving its normal fee for credit freeze as another part of its effort make amends for its security breakdown.

By KEN SWEET and MICHAEL LIEDTKE

Photo credit: Joey Ivansco/Atlanta Journal-Constitution via AP