Posted September 27, 2017 11:04:37

Photo: The jobs of other Equifax executives could still be in jeopardy. (Facebook: Scott Swan)

The CEO of embattled credit reporting agency Equifax has stepped down in the wake of the hacking scandal that has engulfed his company.

Three weeks ago, Equifax publicly admitted a disastrous hack to its computer system exposed the sensitive personal information of 143 million Americans.

The breach exploited a software flaw which led to the exposure of Social Security numbers, birthdates and other personal data that provide the keys to identify theft.

Richard Smith, who had been Equifax's chief since 2005, has stepped down as CEO and will also leave the chairman post.

His departure follows those of two other high-ranking executives since the hack.

Equifax called Mr Smith's move a retirement, but he will not receive his annual bonus and other potential retirement-related benefits until the company's board concludes an independent review of the data breach.

Even if the review does find Mr Smith at fault, he could walk away with a retirement package of at least $23.4 million, along with the value of the stock and options he was paid out over his 12-year tenure.

There is a possibility the board could "claw back" any cash or stock bonuses he may have received, but corporations typically set high thresholds for that type of action.

The 57-year-old executive, who made almost $19.05 million in salary, bonuses and stock last year, would also be able to stay on the company's health plan for life.

Paulino do Rego Barros Jr, most recently president of the Asia Pacific region, has been named the interim CEO.

Equifax said it will look both inside and outside the company for a permanent CEO.

Legal battles await Equifax

Even with the departures of three top executives, Equifax is still facing several state and federal inquiries and a myriad of class-action lawsuits.

These include congressional investigations, queries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and probes by several state attorneys-general.

On Tuesday, the city of San Francisco sued Equifax for exposing its residents to identity theft. The state of Massachusetts sued Equifax last week.

Three other executives were found to have sold stock for a combined $2.3 million before Equifax disclosed the breach, though the company says they were unaware of it at the time.

Although Wall Street analysts had previously applauded Equifax's performance under Mr Smith, he and his management team came under fire for lax security and their response to the breach.

Confusion over the terms of credit-monitoring protection and jammed phone lines added to public's ire.

Equifax's board clearly needed to deal with Mr Smith, not only as a public show of penance for the breach but also for the company's bungling since informing consumers their identities are in danger of being stolen, said Bart Friedman, a lawyer specialising in corporate governance issues.

"This was like a five-alarm fire, and the lack of an appropriate response by management just poured gasoline on that fire," he said.

"If you are sitting on that board, I don't know how you could have permitted him to stay in his role.

"I have rarely seen such a botched response to an existential threat."

Equifax tried to appease incensed politicians, consumers and investors by announcing the unceremonious retirement of its chief security officer and chief information officer last week, who were responsible for managing and protecting the company's technology.

But that was not enough, with politicians drawing up bills that would impose sweeping reforms on Equifax and its two main rivals, Experian and TransUnion.

Smith 'retires' days before congressional hearing

Mr Smith had been scheduled to appear at two congressional hearings next week that would likely have turned into a public lambasting.

The US House Energy and Commerce committee said in a tweet that it still plans to hold its hearing on October 3.

A spokeswoman for the Senate Banking Committee said that panel's October 4 hearing remains scheduled as planned.

Senator Brian Schatz, a Democrat from Hawaii, said Mr Smith's departure just days before he was to appear before Congress was "an abdication of his responsibility".

The senator expected Mr Smith to testify before the Banking Committee "regardless of the timing of his retirement".

The data breach might not have happened if Equifax had responded promptly to a March warning about a known security weakness in a piece of open-source software called Apache Struts.

Even though a repair was released, Equifax did not immediately install it.

Digital burglars used the crack in Equifax's computer systems to break in from May 13 through July 30, according to the company's accounting.

Equifax said it did not fathom the breadth of information that had been stolen until shortly before issuing a public alert on September 7, triggering the wave of withering condemnations that led to Mr Smith's departure.

The jobs of other Equifax executives could still be in jeopardy.

The three executives who sold shares, including Equifax's chief financial officer, are under scrutiny.

In a hearing on Tuesday, the chairman of the Securities and Exchange Commission, Jay Clayton, refused to comment when asked by politicians if executives at Equifax engaged in insider trading when they sold their shares.

Mr Clayton did not confirm or deny that the SEC was investigating the issue.

However, he opened the door to potentially forcing the executives to return the proceeds of the stock sales, if the company's six-week delay in disclosing the breach is found to be improper.

AP

Topics: business-economics-and-finance, company-news, law-crime-and-justice, hacking, computers-and-technology, united-states