Equifax CEO steps down after data breach; he’ll still get $18-million pension – Los Angeles Times
Equifax announced Tuesday that its chief executive would step down effective immediately, weeks after the credit-reporting company disclosed a massive data breach.
Richard Smith, who also served as chairman of the Equifax board, is the latest casualty at the company as a result of the breach, which exposed the Social Security numbers and birthdates of as many as 143 million people.
The board appointed Paulino do Rego Barros Jr., a seven-year veteran of the company who most recently served as its Asia Pacific region president, as interim CEO. The board also appointed independent member Mark Feidler to serve as non-executive chairman.
Equifax said it would start a search for a permanent CEO and would consider candidates from outside the company.
“The board remains deeply concerned about and totally focused on the cybersecurity incident,” Feidler said in a written statement. “We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the board, I sincerely apologize.”
Feidler, a partner and co-founder of private equity firm MSouth, said the board has formed a special committee “to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
Equifax, one of the nation’s three major credit-reporting companies, revealed the data breach Sept. 7. The company said a website vulnerability led to an intrusion that lasted from mid-May through July.
The breach was discovered July 29, and Equifax said it spent the following weeks working with a cybersecurity consultant and authorities on an investigation.
Equifax has been sharply criticized for the delay in making the data breach public and for initially offering free credit monitoring and identity theft protection to U.S. customers only if they agreed to resolve all disputes in private arbitration.
Investigations have been launched by regulators, congressional committees and state attorneys general. Smith was scheduled to testify at a House Energy and Commerce Committee hearing Oct. 3 and a Senate Banking Committee hearing the following day.
Smith is still expected to testify at the House hearing.
“I look forward to hearing directly from Mr. Smith on this unprecedented breach impacting millions of Americans,” said Rep. Greg Walden (R-Ore.), chairman of the House committee.
A Senate Banking Committee spokeswoman did not immediately respond to a request about whether Smith would still appear at the Oct. 4 hearing.
Smith is leaving after 12 years leading Equifax, the company said.
”Equifax is a substantially stronger company than it was 12 years ago,” Feidler said. “At this time, however, the board and Rick agree that a change of leadership is in order.”
Smith said in a statement that serving as the company’s CEO “has been an honor.”
Although a company news release said Smith was retiring, Equifax spokeswoman Ines Gutzmer said Smith and the board “expressly agreed to defer any formal characterization of his departure and the determination of any payments or benefits” he is owed until after the review of the data breach.
Smith will not receive any 2017 bonus nor any severance, she said.
Smith earned $15 million in total compensation in 2016, including a $1.5-million base salary and $7.3 million in stock awards, according to the company’s securities filings.
As of Dec. 31, his pension was valued at $18.4 million, the filings showed. Smith is entitled to that pension “under any circumstances,” Gutzmer said.
Smith isn’t the first Equifax executive to step down since the breach. On Sept. 15, Equifax announced that its chief information officer and chief security officer were retiring effective immediately.
Equifax has said the hackers exploited a vulnerability in one of its U.S. websites.
Brian Krebs, a cybersecurity expert and author of the website Krebs on Security, said the attackers gained access to the inner workings of the software of the site, which “allowed the hackers to behave as if they were inside the company accessing that data.”
“It’s like you left the back door open to your house — wide open,” he said.
The software at issue is widely used by companies and others, and Krebs said its vulnerability to attack was first spotted by the industry in March and that a patch was available to fix it.
“But Equifax didn’t patch it until after the damage was done,” Krebs said. “The bad guys beat them to it.”
8 a.m.: This article was updated with details about Smith’s compensation and about congressional hearings next week.
6:50 a.m.: This article was updated with additional details and background information.
This article originally was published at 6:10 a.m.