Updated at 12:01 p.m. ET
Equifax Chairman and CEO Richard F. Smith is retiring, the credit reporting agency announced Tuesday. The news comes just weeks after the company said a massive data breach exposed the personal information of up to 143 million people.
At the time, the company also acknowledged that it had waited more than a month to alert people to the breach, a delay that potentially gave hackers access to U.S. consumers’ names, Social Security numbers, addresses, birthdates — and, for some people, their credit card information.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in a statement Tuesday. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
His retirement is effective immediately. Less than two weeks ago, two other top executives, Chief Information Officer David Webb and Chief Security Officer Susan Mauldin, stepped down in similar fashion.
“It’s not surprising that the CEO is stepping down,” NPR’s Chris Arnold tells Morning Edition. “This was just such a colossal disaster for this company. And not only for this company, but it’s going to echo through the whole industry.”
“Equifax has to look like it’s taking this seriously and making big changes all the way to the top,” he says.
More than 30 state attorneys general, a U.S. Senate panel and federal authorities are investigating Equifax. Chris says, “Now the question is, does this hack change the landscape? Will Congress actually push for some reforms?”
He points out that consumer advocates “have complained about the credit reporting agencies for years. They collect all this information, they don’t ask your permission, and then if the information gets messed up, it can be very, very hard to get it corrected.”
The fact of the data breach isn’t the only controversy swirling around Equifax, as NPR’s Alina Selyukh has noted.
“The credit reporting company has said that it discovered ‘unauthorized access’ to its systems on July 29,” Alina reported earlier this month. “Regulatory filings show the three Equifax executives — Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder — completed stock sales on Aug. 1 and 2.”
The agency denies these executives knew about the data breach “at the time they sold their shares.”
Added to this revelation was another reported by NPR’s Merrit Kennedy: In the days following its acknowledgment of the incident, the company at several times directed concerned consumers to a fake phishing site set up by a software engineer “to educate people rather than steal their information.”
The move elicited further criticism over how Equifax was responding to the massive incident.
“I recommend companies direct people to a site that is trusted and part of their main domain, in order to make sure that something like this doesn’t happen,” Tarah Wheeler, a cybersecurity consultant at Red Queen Technologies, told NPR last week.
That same week, the company also confirmed an additional “security incident involving a payroll-related service” earlier this year.
“We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again,” Mark Feidler, who has stepped into the role of nonexecutive chairman of the board, said in a statement Tuesday.
“Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.”
Paulino do Rego Barros Jr. has been appointed Equifax’s interim CEO.