Equifax CEO exits in wake of massive data breach

Last Updated Sep 26, 2017 2:24 PM EDT

Equifax (EFX) chief executive Richard Smith is out at the credit reporting agency in the aftermath of a data breach that exposed the personal information of 143 million Americans

The company said Smith, 57, retired effective Tuesday. Equifax has appointed Paulino do Rego Barros Jr., who most recently ran the company's Asia Pacific business, as the company's interim CEO. 

Smith is still scheduled to appear before the House Energy and Commerce Committee and Senate Banking Committee next week to answer questions about the hack.

Equifax said it would start a search for a new permanent CEO. It added that Smith will stay on as an "unpaid advisor to Equifax to assist in the transition."

The board apologized for the incident. 

"The board remains deeply concerned about and totally focused on the cybersecurity incident," said board member Mark Feidler, who has been appointed non-executive chairman with Smith's retirement, in a statement. "We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the board, I sincerely apologize."

Smith, who had led Equifax since 2005, has come under fire since the company disclosed the hack earlier this month. It's not publicly known when he became aware of the breach, which exposed Equifax customers' names, Social Security numbers, credit card data and other sensitive information. At an August meeting two weeks after the company discovered the hack, he stressed Equifax was putting "a huge priority" on protecting data.

In a regulatory filing, the company said Smith won't receive a bonus for 2017. It added that any benefits or obligations due to Smith won't be paid until after it completes an independent review of the data breach. Still, Smith has more than $18 million in pension benefits, according to a regulatory filing. 

Some lawmakers and consumer advocates called for a harsher penalties for Smith, including Massachusetts Senator Elizabeth Warren, a Democrat. 

"It's not real accountability if the @Equifax Chairman & CEO resigns without giving back a nickel in pay or publicly answering questions," Warren wrote on Twitter in response to his retirement. 

It's not clear whether Equifax could "claw back" money from Smith or other executives, although the credit reporting agency has corporate policy that in some cases would allow it to recover executive pay and bonuses. According to a regulatory filing, clawbacks are justified if an executive's misconduct caused the company to restate earnings. A clawback can also be triggered if a "performance measure" is restated or adjusted that would reduce the award or pay to the executive. Employees who are terminated for cause can also be targeted. 

Equifax's security chief and chief technology officer have also left the company since the hack. Wall Street analysts had predicted additional changes in leadership were in the works following the breach.

"For Equifax, this means there is going to be tremendous pressure coming from Congress to do a complete replacement of senior management," said Cowen analyst Jaret Seiberg in a recent note.

The Federal Trade Commission, Securities and Exchange Commission and Consumer Federal Protection Bureau, along with the FBI and state attorneys general is at least 40 states, are investigating the cyberattack on Equifax. The breach has also spurred talk of tighter regulations on credit bureaus, which include Experian and Transunion (TRU).

The scale of the breach makes it one of the biggest in U.S. corporate history. The biggest hack happened to Yahoo, which saw data for more than 1 billion users compromised in two attacks in 2013 and 2014. But the Equifax breach is potentially more damaging for consumers because no Social Security numbers or drivers' license information were stolen in the Yahoo hack.