After Mega-Breach at Equifax, CEO Richard Smith Is Out

Following in CIO and CSO’s Footsteps, Smith Has ‘Retired,’ Equifax Board Says

Richard Smith has exited the Equifax building – mostly.

The embattled CEO and chairman of the Equifax board has retired, effective immediately, the Atlanta-based credit bureau’s board of directors announced Tuesday. But he’ll remain in an unpaid capacity, the board says, “to serve as an unpaid adviser to Equifax to assist in the transition” as it seeks a new CEO.

“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith says in a statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

Equifax suffered a record breach, which it publicly disclosed Sept. 7, of sensitive data on 143 million U.S. consumers, whose details Equifax and other data brokers sell as a product. If past breaches are any guide, these data breach victims will likely see little if any compensation from Equifax over the breach, and yet be at heightened risk of identity theft for the rest of their lives.

The FBI has launched a criminal investigation into the hack of Equifax. The company says it was breached after attackers exploited a vulnerability in its Apache Struts web platform that Equifax failed to patch, despite a security update being available.

Equifax is now facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, inquiries from regulators in Canada and the United Kingdom, consumer lawsuits in the United States and Canada, as well as what will likely be multiple lawsuits by financial services firms and card brands trying to recover card-reissuing and fraud costs (see Credit Union Sues Equifax Over Breach-Related Fraud Costs).

Many security watchers had been calling for Smith to resign – or else for the board to fire him – over the company’s failure to safeguard sensitive consumer data.

Smith’s Sept. 26 “retirement” follows Equifax announcing on Sept. 15 that its then-current CIO David Webb and CSO Susan Maudlin would be retiring. Equifax’s curious choice of language, and apparent attempt to spin the departure of key technology executives with apparent breach responsibility as a retirement – rather than firing for cause – led some observers to question whether the credit reporting agency was taking its breach seriously enough (see More Questions Raised After Equifax CIO, CSO ‘Retire’).

The jettisoning of Smith looks like belated damage control for the credit reporting bureau, which on Sept. 7 issued a public notification for a data breach that apparently began in March and which the company detected four months later, in late July.

Continue reading…