Just weeks after Equifax announced a massive data breach, the company announced CEO Richard Smith would retire. One partner said that Smith's retirement shows that blame and responsibility need to fall on top executives and boards of directors for major security lapses.
The departure is effective immediately, Equifax said, though Smith will remain as an unpaid advisor to the company. The company has appointed Paulino do Rego Barros, Jr. – the former president of Asia Pacific for the company – as interim CEO. Equifax said the search is already underway for a permanent CEO.
The change in leadership comes less than a month after the credit services company announced a mega data breach that impacted 143 million of its customers.
The breach included information on names, birth dates, Social Security numbers, addresses, and some driver's license numbers. It also included more than 200,000 credit card numbers and nearly 200,000 other documents with personal identifying information. The breach was first discovered on July 29, the company said and was due to a vulnerability in a U.S. website application, which allowed hackers access to certain files.
Since then, the company has faced significant criticism for its data breach response, including customers having a tough time finding out if they were impacted by the breach, posting a link to a phishing site multiple times on its Twitter account, and only a year's worth of credit monitoring services offered to those affected.
"The Board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support customers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken," Non-Executive Chairman of the Board of Directors Mark Feidler said in a statement issued 150 days after the security breach.
The departure is just the latest example of a CEO departure after a major security incident. In the last five years, several CEOs have left companies following security breaches, including Target CEO Gregg Steinhafel, Home Depot CEO Frank Blank, Sony Pictures CEO Amy Pascal, Ashley Madison CEO Noel Biderman, OPM Director Katherine Archuleta.
Equifax CSO David Webb and CIO Susan Mauldin also retired shortly after this incident.
Jeremy Wittkop, CTO of Greenwood Village, Co.-based InteliSecure, said boards of directors and CEOs are getting pulled into paying attention to security whether they like it or not. "If it's affecting shareholder value, it's the CEO's responsibility," Wittkop said. "It's like in the military: the general may not be on the battlefield, but he's responsible for what happens there."
I think the accountability is falling where it belongs. You have something massive like this, and it happens on your watch: if you didn't know about it, you should have," he said.
However, Wittkop said he doesn't think the retirement of CEO Smith means the Equifax story is over. He said he expects more information to come out as the investigation continues into the incident.
Beyond that, he said the breach would likely cause a ripple effect on regulation, the use of identifiers like Social Security numbers, and how companies approach security prevention and response.