The Washington PostDemocracy Dies in Darkness

Equifax CEO Richard Smith steps down amid hacking scandal

The credit reporting agency, Equifax, announced on Sept. 7 that a hack has impacted the credit histories of up to 143 million Americans. (Video: Amber Ferguson/The Washington Post)

The chief executive of Equifax is retiring, the company said Tuesday, just weeks after the troubled credit reporting agency disclosed that it had suffered a massive data breach affecting as many as 143 million people.

The departure of Richard Smith comes as Equifax has drawn fire from countless consumers and dozens of federal lawmakers over its handling of the breach. Equifax announced earlier this month that hackers gained unauthorized access to sensitive personal data — Social Security numbers, birth dates and home addresses — for nearly half of the country. The company also faces multiple federal investigations over its handling of the hack and reports that executives sold an unusual amount of stock before the breach was publicly disclosed.

Equifax's board of directors appointed board member Mark Feidler to serve as the company's nonexecutive chairman, the company said in a statement Tuesday. Paulino do Rego Barros Jr., who led the company's Asia Pacific division, will become the interim chief executive.

After the breach, Equifax now faces the lawsuits

“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in the statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

Smith, 57, had been the chairman and chief executive since 2005, after spending 22 years at General Electric. During Smith's time at Equifax, the company’s stock price had soared 200 percent, and its market value swelled from $3 billion to $20 billion. Smith also expanded the company’s business into 24 countries.

Including salary, stock and changes in pension value, Smith's 2016 compensation was valued at $15 million. But Smith will not receive a bonus this year, according to a new filing with the Securities and Exchange Commission. He will receive an $18 million pension, however. Decisions on additional benefits owed to Smith will be deferred until the board of directors completes an independent review of the data breach.

The board said Smith will act as an unpaid adviser as the company searches for a permanent chief executive. The company also said that the board has created a special committee to examine the breach.

Smith isn't the first high-ranking executive at Equifax to depart since the disclosure of the breach. Earlier this month, two officials responsible for Equifax's security and information technology — chief information officer David Webb and chief security officer, Susan Mauldin -- also abruptly retired.

Congressional hearings about the breach will start next week. Smith is scheduled to testify before a House Energy and Commerce subcommittee on Oct. 3 and the Senate Banking Committee the following day.

Rep. Maxine Waters (Calif.), the top Democrat on the House Financial Services Committee, told The Washington Post in a statement that Smith's retirement does not relieve Equifax of its obligations to answer for its security lapses.

“The public deserves answers about what occurred at Equifax, and its entire board of directors and senior management team should be accountable for the enormous harm caused to consumers across the country,” she said. “There will be consequences. This process is only beginning.”

Before the breach, Equifax sought to limit exposure to lawsuits

Sen. Sherrod Brown (Ohio), the ranking Democrat on the Senate Banking Committee, said that the former CEO and other Equifax executives who left should be denied "a big payday" with their retirements. “Equifax executives cannot be allowed to wash their hands of this while millions of Americans are left to deal with the consequences,” the senator said in a statement to The Post.

Smith's exit could clear the way for new leadership with expertise in cybersecurity, security experts and industry observers said. And the swift departure of the company's chief could stem some of the intense backlash against Equifax.

“The CEO should be held accountable, and the chief executive officer is also the chief risk officer, and clearly this company took on risk that resulted in its hacking problem,” said David Kass, a professor of finance at the University of Maryland. “I think the market and investors will be pleased with this decision. A new CEO coming in hopefully will be more security-conscious, with major experience in this area.”

SEC is hiring more cybersecurity help after breach that may have let hackers profit from stock trades

Carl Tobias, a University of Richmond law professor, said that although Smith's retirement may help Equifax move past the scandal, how the board responds to pressure from Congress and the sustained public outcry will probably define the future of the embattled company.

“Just removing Smith or having him retire doesn’t mean that the company will be able to address the concerns of millions of people, in terms of their own personal data, Equifax's lack of transparency and why it took them so long to reveal the breach to the public,” he said.

And even as Equifax moves to replace key personnel, one crucial question is just who the new crop of executives will be.

“This may be good, but it depends who the new leaders are,” Tobias said.

Jena McGregor contributed to this report.

Read more:

Equifax asks consumers for personal info, even after massive data breach

Two Equifax executives will retire following massive data breach

The FTC is investigating the Equifax breach. Here’s why that’s a big deal.