Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
After Mega-Breach at Equifax, CEO Richard Smith Is OutFollowing in CIO and CSO's Footsteps, Smith Has 'Retired,' Equifax Board Says
Richard Smith has exited the Equifax building - mostly.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The embattled CEO and chairman of the Equifax board has retired, effective immediately, the Atlanta-based credit bureau's board of directors announced Tuesday. But he'll remain in an unpaid capacity, the board says, "to serve as an unpaid adviser to Equifax to assist in the transition" as it seeks a new CEO.
"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith says in a statement. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Equifax suffered a record breach, which it publicly disclosed Sept. 7, of sensitive data on 143 million U.S. consumers, whose details Equifax and other data brokers sell as a product. If past breaches are any guide, these data breach victims will likely see little if any compensation from Equifax over the breach, and yet be at heightened risk of identity theft for the rest of their lives.
The FBI has launched a criminal investigation into the hack of Equifax. The company says it was breached after attackers exploited a vulnerability in its Apache Struts web platform that Equifax failed to patch, despite a security update being available.
Equifax is now facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, inquiries from regulators in Canada and the United Kingdom, consumer lawsuits in the United States and Canada, as well as what will likely be multiple lawsuits by financial services firms and card brands trying to recover card-reissuing and fraud costs (see Credit Union Sues Equifax Over Breach-Related Fraud Costs).
Many security watchers had been calling for Smith to resign - or else for the board to fire him - over the company's failure to safeguard sensitive consumer data.
Smith's Sept. 26 "retirement" follows Equifax announcing on Sept. 15 that its then-current CIO David Webb and CSO Susan Maudlin would be retiring. Equifax's curious choice of language, and apparent attempt to spin the departure of key technology executives with apparent breach responsibility as a retirement - rather than firing for cause - led some observers to question whether the credit reporting agency was taking its breach seriously enough (see More Questions Raised After Equifax CIO, CSO 'Retire').
The jettisoning of Smith looks like belated damage control for the credit reporting bureau, which on Sept. 7 issued a public notification for a data breach that apparently began in March and which the company detected four months later, in late July.
Smith Will Assist With Transition
In response to a question about why Smith was not fired, an Equifax spokeswoman tells Information Security Media Group that Smith has supported the move to a new CEO and chair of the board and that "he volunteered to help in any way he can with an orderly transition and wanted to ensure that the board had as much time as it needed to complete a full and independent [breach] assessment."
A form 8-K filed Tuesday by Equifax with the SEC says that Smith will assist with the transition "for a period of no more than 90 days" and "provide reasonable assistance to the company without compensation." It adds that while serving in this capacity, "Smith shall be afforded indemnification and advancement rights to the full extent provided in his existing indemnification arrangements and pursuant to all applicable laws."
Although Smith has retired, Equifax says that he would not receive his $5.2 million severance package or 2017 annual bonus, but that he may eventually receive additional payments or benefits that he is due. Smith received about $15 million in pay last year.
Equifax says the breach exposed:
- 143 million U.S. consumers' personal details, including names, birthdates, addresses, Social Security numbers and in some cases driver's license numbers;
- 209,000 U.S. consumers' payment cards;
- 182,000 U.S. consumers' credit dispute documents, containing personal information;
- 400,000 British consumers' personal details, which the company was accidentally storing on its U.S. servers;
- 100,000 Canadian consumers' personal details.
In Smith's place, the board has appointed Paulino do Rego Barros, Jr., who most recently served as president of Asia Pacific for Equifax, and who has worked at the company for seven years, as its interim CEO.
Equifax board member Mark Feidler has been appointed as non-executive chairman of the board. The board will undertake a search for a new CEO.
"The board remains deeply concerned about and totally focused on the cybersecurity incident," Feidler says in a statement. "We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again.
"Speaking for everyone on the board, I sincerely apologize. We have formed a special committee of the board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken."
Smith is due to testify Oct. 3 before the U.S. House Energy and Commerce Committee, and other lawmakers had signaled that they also planned to call Smith to testify. An Equifax spokeswoman tells ISMG that Smith is still scheduled to go to Washington to testify.
Some have suggested that the Equifax breach might serve as a watershed moment, leading Congress to pass new legislation to regulate data brokers such as Experian, Equifax and TransUnion, and hold them to account - perhaps via significant fines - if they mishandle U.S. consumers' personal data. But the Republican-controlled Congress has signaled that it likely will not pass any such laws (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Poster Child for Bad Breach Response
While any company can potentially be breached, Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, says Equifax has set a new standard for how to mishandle not just organizational cybersecurity and governance, but also breach response.
"The CEO and his team of internal and external providers bungled every step of the response: messaging, PR, consumer protection communications and offers, and everything else imaginable," Pierson tells ISMG. "The breach is a shining example of what happens when you do not prepare for data breach response ahead of time, do not adequately table top your responses, and do not have that single incident commander leading the charge."
While Equifax's stock price took a dive after the breach was announced, it has recently regained some of its value.
In general, breached businesses suffer no long-term stock damage, except for a handful of exchanges that have been driven into bankruptcy after hackers stole all of their cryptocurrency, as well as Yahoo, which had the misfortune to discover not one, but two, massive breaches after Verizon bid for the firm last year.
Verizon subsequently closed the acquisition of Yahoo after negotiating a $350 million discount, then jettisoned Yahoo's entire senior management team.
Even so, Yahoo's now-former CEO, Marissa Mayer, walked away with at least $250 million following the Verizon deal.
Officials at Equifax, however, say that Smith has not left with any severance package or bonus, although that could change. "Smith will not receive any bonus for 2017, and he will not receive any severance or any accelerated vesting," the Equifax spokeswoman says. "Although [his] departure was described as a retirement, Mr. Smith and the board expressly agreed to defer any formal characterization of his departure and the determination of any payments or benefits owed to Mr. Smith until a later date, after the independent directors are able to complete an independent review of the 2017 cybersecurity incident."
Any further payments or benefits would be on top of Smith receiving a pay package that in 2016 alone was worth nearly $15 million. Since Smith joined Equifax as CEO in 2005, he has received about $127 million in total compensation, the Wall Street Journal reports, adding that under Equifax's pension and retirement plan he will likely see an additional $18.4 million. Smith also owns more than 285,000 Equifax shares - 62,000 have yet to vest - worth more than $29 million, based on the current market value of the company's stock.
Sept. 28 update: Added additional details relating to Smith's compensation, likely pension as well as stock ownership.