Equifax Inc. (EFX) Chairman and Chief Executive Officer Richard Smith is stepping aside almost 20 days after the credit-reporting company disclosed a cyberattack that compromised the personal information of more than 143 million Americans.
Board member Mark Feidler, a partner at MSouth Equity Partners LLC, a private equity investment firm, and former chief operating officer for BellSouth Corp., was named the non-executive chairman. Paulino do Rego Barros Jr., who most recently served as president of Asia Pacific for Equifax, has been appointed as interim CEO. Smith, 57, has agreed to serve as an unpaid adviser to Equifax to assist in the transition.
"The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right," Smith said in a statement. "At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward."
Equifax shares fell 1.6% in morning trading on the New York Stock Exchange after being halted for the Smith announcement. Since the cyberattack was revealed on Sept. 7, shares of Equifax have dropped about 27%.
The board will undertake a search for a new permanent CEO and is said to be considering candidates from within and outside the company. Feidler also said that the board has formed a special committee to focus on the issues arising from the recent security breach "and to ensure that all appropriate actions are taken."
GOING BEFORE CONGRESS
Smith is scheduled to appear before the Senate Committee on Banking, Housing and Urban Affairs on Oct. 4, an Equifax spokesperson said. He is expected to face questioning about how cyberhackers gained access to the personal information of millions of people in the U.S. and went undetected for months.
Smith will also be asked about the company's overall cybersecurity efforts as well as the company's transparency regarding consumers and shareholders, or lack thereof.
The Atlanta-based credit-reporting company disclosed on Sept. 7 that the names, addresses, birthdays and Social Security numbers of 143 million Americans were compromised in a cyberattack that Equifax discovered on July 29. Equifax said hackers accessed the information starting on May 13, but the Wall Street Journal reported that the first "interaction" with hackers happened on March 10. The company registered the domain name equifaxsecurity2017.com, the website Equifax directed customers toward to learn more about the breach, on Aug. 22, more than two weeks before the hack was publicly disclosed, according to the Wall Street Journal.
"Once Equifax discovered [the cyberattack], why did it take so long to become public?" asked Warren Zafrin, a management and technology consultant at UHY Advisors.
"Where was everything that would have set off the alarms?" Zafrin said. "It was a complete breakdown of their cyber program. Or there was complete fraud and miscommunication. It can't be both."
Equifax should have had an intrusion detection system or an incident response plan or, at the very least, a data leak prevention plan, Zafrin said.
Following the cyberattack, the company announced on Sept. 15 that its chief information officer, David Webb, and chief security officer, Susan Mauldin, were retiring, effective immediately. Mark Rohrwasser, who led Equifax's International IT operations, was named interim chief information officer; Russ Ayres, who served as vice president in the IT organization, was appointed interim chief security officer.
Congress will be keen to hear why Equifax waited to disclose the situation once the company discovered the intrusion, especially in light of the three executives who sold shares worth almost $1.8 million in the days after the company found the security breach. Equifax said the three people, including Chief Financial Officer John Gamble, had not been informed of the incident when they sold their shares.
"How do you explain the delay?" Zafrin asked. He said the delayed disclosure of the incident just "doesn't make sense" and demonstrates a level of incompetence. Zafrin also said that Equifax "absolutely" should have shut down any insider trading as soon as the breach was discovered.
"It just doesn't sound kosher," Zafrin said.
HISTORY OF SECURITY BREACHES
Cyberattacks, however, are far from a new problem for Equifax, which has a market capitalization of $12.65 billion.
In January 2017, Equifax admitted to a data security incident in which the "credit information of a small number" of customers at partner LifeLock were exposed to another user of the latter's online portal. Equifax said it provides LifeLock members with credit information through the LifeLock portal.
In May 2016, Equifax's W-2 Express website was attacked and resulted in the leak of more than 430,000 names, addresses, Social Security numbers and other personal information of employees of the grocery chain Kroger Co. (KR) . The breach resulted in a class-action lawsuit, which alleged that Equifax "willfully ignored known weaknesses in its security system." Although the company sought to have the suit dismissed, the case was ultimately dropped without prejudice with the understanding that Equifax would fix the security issue.
Four years ago, the company told New Hampshire Attorney General Joseph Foster that between April 2013 and January 2014 an "IP address operator was able to obtain the credit reports using sufficient personal information to meet Equifax's identity verification process."
As a result, the company said it reported the suspicious activity to the Federal Bureau of Investigation and implemented additional monitoring and blocking measures to assess whether certain types of fraudulent activity were occurring on the affected individuals' credit files.
While Smith, who served as CEO since 2005, stepped down 19 days after the security breach was disclosed, an in-depth look at some of the company's more prominent employees shows that about a handful of people left before the April 2013 hack, such as Jay Leek, vice president of international security, and Hmong Vang, senior director of global security compliance, according to BoardEx, a relationship mapping service of TheStreet Inc. John Carter, the former chief data officer, departed in April 2012. And, one month before the hack in March 2013, Tony Spinelli, the former chief security officer and Mauldin's predecessor, left Equifax.
More of What's Trending on TheStreet:
- PayPal's Stock Has Blown Away Facebook and Google This Year for One Big Reason
- Microsoft's New Xbox One X Shows It's Done Trying to Please Everyone
- How to Invest Like Billionaire Warren Buffett
- A 401(k) Loan Is a Terrible Idea Until It Isn't
TheStreet was able to determine that Carter was succeeded by Prasanna Dhore, who still works at Equifax. Carter declined to comment on why he left Equifax but said that his role" was not related to data security." Spinelli, who served as chief security officer between Sept. 2005 and March 2013, according to BoardEx, did not respond to multiple requests for comment.
When TheStreet reached out to Equifax last week to determine who replaced for the other men in the security-related positions, the company said that "it is Equifax policy to not discuss personnel matters."
Still, even with these departures, Zafrin said that "it should not have made Equifax more vulnerable."
But does Equifax have a problem retaining top talent?
The great demand for cybersecurity experts at companies across the world could be one of the reasons these people moved jobs, Dr. Edward Amoroso, a distinguished research professor at New York University's Tandon School of Engineering, said in a recent interview.
Dr. Amoroso said that chief information security officer (CISO) is often viewed as an appendage to the executive team, a "hired gun" that may be more likely to leave.
"The solution is that the CEO needs to build a better, more trusting relationship with the CISO," said Dr. Amoroso.
"We envision the breach having a similar effect on security awareness as did the late-2013 Target breach, whereby Boards/C-level executives became more involved with their organizations' security strategy," said Oppenheimer analysts Shaul Eyal and Tanner Hoban in a Sept. 18 research note. "Similar to Target, consumers felt the pain of this breach...this time on a much larger scale."
Thirteen Equifax analysts, or 81.3% of the total, have a Buy rating on the stock while three analysts have a Hold rating; there are no analysts with a Sell rating, according to Bloomberg data.
-- This story has been updated to reflect that Equifax confirmed Richard Smith is scheduled to testify before Congress.
More of What's Trending on TheStreet:
- Equifax CEO Richard Smith Out Amid Data Breach Scandal
- This Is What Could Burst Shares of Facebook, Amazon, Netflix and Alphabet
- How to Make a Deal Like Billionaire Investor Warren Buffett
- Here's What a Blockbuster Combination of Sprint and T-Mobile Would Look Like
Editors' pick: Originally published Sept. 26.