Weeks after it revealed a data breach that compromised the personal data of 143 million Americans, Equifax announced the retirement of chairman and CEO Richard Smith. It also elected a new chairman, appointed an interim CEO, and started the search for Smith's replacement.
Smith's departure follows scandal after scandal involving the company's handling of its data breach. It's not just that the names, addresses, and Social Security numbers of a significant portion of the U.S. population were stolen from a company many people cared little about before this hack. It's that at every step, from the unpatched vulnerability that enabled the breach to its disclosure timeline, Equifax stubbed its toe.
- Equifax allowed a critical Apache Struts vulnerability to go unpatched, which resulted in this breach.
- Before the company disclosed the breach, three executives sold nearly $1.8 million worth of stock.
- Shortly after the hack's disclosure, Equifax changed its protective service's arbitration clause, which would've prevent anyone from suing it.
- It's revealed that Equifax "secured" a server holding Argentinians' personal data with the username / password combo of "admin / admin."
- Equifax's social media team directed people to a fake site that could have stolen their private data.
These missteps show a pattern of carelessness and greed amidst a data breach that will affect many Americans long into the future. Equifax wasn't hacked by criminal masterminds; it was targeted by someone who was simply curious enough to see if a company that holds incredibly sensitive information about millions of Americans had bothered to install a patch months after it was released. That lark just happened to pay off.
Not that the hackers are the only ones who stood to profit from the breach. Fortune pointed out that Equifax acquired an identity protection firm, ID Watchdog, after the breach was discovered but before it was disclosed. One could give Equifax the benefit of the doubt and think it wanted to bolster its defensive capabilities. One could also believe the company "predicted" that protective services would "mysteriously" rise in popularity.
Here's what Equifax's new chairman, Mark Feidler, said about the decision to "retire" Smith:
The Board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.
Equifax's next moves will make it clear whether Feidler truly plans to address the company's deep issues or if Smith is merely a scapegoat.