Weeks after it revealed a data breach that compromised the personal data of 143 million Americans, Equifax announced the retirement of chairman and CEO Richard Smith. It also elected a new chairman, appointed an interim CEO, and started the search for Smith's replacement.
Smith's departure follows scandal after scandal involving the company's handling of its data breach. It's not just that the names, addresses, and Social Security numbers of a significant portion of the U.S. population were stolen from a company many people cared little about before this hack. It's that at every step, from the unpatched vulnerability that enabled the breach to its disclosure timeline, Equifax stubbed its toe.
- Equifax allowed a critical Apache Struts vulnerability to go unpatched, which resulted in this breach.
- Before the company disclosed the breach, three executives sold nearly $1.8 million worth of stock.
- Shortly after the hack's disclosure, Equifax changed its protective service's arbitration clause, which would've prevent anyone from suing it.
- It's revealed that Equifax "secured" a server holding Argentinians' personal data with the username / password combo of "admin / admin."
- Equifax's social media team directed people to a fake site that could have stolen their private data.
These missteps show a pattern of carelessness and greed amidst a data breach that will affect many Americans long into the future. Equifax wasn't hacked by criminal masterminds; it was targeted by someone who was simply curious enough to see if a company that holds incredibly sensitive information about millions of Americans had bothered to install a patch months after it was released. That lark just happened to pay off.
Not that the hackers are the only ones who stood to profit from the breach. Fortune pointed out that Equifax acquired an identity protection firm, ID Watchdog, after the breach was discovered but before it was disclosed. One could give Equifax the benefit of the doubt and think it wanted to bolster its defensive capabilities. One could also believe the company "predicted" that protective services would "mysteriously" rise in popularity.
Here's what Equifax's new chairman, Mark Feidler, said about the decision to "retire" Smith:
The Board remains deeply concerned about and totally focused on the cybersecurity incident. We are working intensely to support consumers and make the necessary changes to minimize the risk that something like this happens again. Speaking for everyone on the Board, I sincerely apologize. We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken.
Equifax's next moves will make it clear whether Feidler truly plans to address the company's deep issues or if Smith is merely a scapegoat.
I would like to see all 3 go down in flames and replaced by a new branch of government.
-because it affects nearly 100% of americans
-because it's too important to leave to private companies to F-up
-wrong items are never corrected unless you submit a letter/correction request
-For political leaders credit reporting companies fix their credit reports for them so they don't have to deal with the nightmares that can happen. (must be nice) That's also way the government allows these companies. If your opinion matters (in politics) your credit history will be managed for you so you continue to have a positive opinion of these companies.
That said, one thing I question is the degree of oversight, and the general effects of deregulation. How much accountability is there, really? The CEO is unlikely to go to jail; I'm not sure he'll ever get fined. Oh, he got fired...and odds are, will never work again. Poor boy only has the remains of his 8-digit annual salary and stock options to fall back on. Wahh. Gee, he won't be able to attend all 4 Grand Slams, if he's a tennis guy...he'll have to cut back to just 2. Terrible....feel for him.............
Not that there's a snowball's chance of adequate compensation, should this really blow up.
You are aware that the government already has *TONS* of safeguards in place to protect consumers from credit fraud right? Most were implemented under FDR during the Great Depression.
Also, CEOs commonly announce retirement dates 12-18 months in advance, in order to promote a smoother transition and not shake investor confidence. So resign is more accurate, but the action is also triggering retirement clauses (including an $18M *pension*.)
Someone fraudulently uses your bankcard? You see it on your statement or the bank notices unusual activity and the bank issues you a new card/number.
Someone fraudulently uses your SSN (and you may not even know it's in use)? Unless you can prove to the U.S. government that you have been damaged in some way by the fraudulent use of your SSN, you won't be issued a new SSN.
I say sign this petition so SSN becomes a worthless commodity and they come up with a new way to ID us all that is more than a simple number:
I don't think such a massive change is necessary. It's clear that there were major security issues, which should be addressed. For example, the seurity patch that was not applied? Require confirmation that all critical patches are installed. The situation where the admin/admin log-in was left active...require a security audit for all servers.
Finally, it is not clear to me that any actual crime was committed by Equifax. They broke trust; they are absolutely open to civil liability. But not necessarily criminal.