Brian Jackson - Fotolia
Richard Smith, chairman and chief executive of credit rating firm Equifax, is the latest executive to leave the company in the wake of a data breach reported in early September.
The company said board member Mark Feidler will serve as non-executive chairman and Paulino do Rego Barros, president of the company's Asia Pacific region, has been appointed as interim CEO.
Smith’s departure comes with weeks of the company admitting that data on up to 143 million US consumers may have been accessed by cyber attackers between mid-May and July.
The exposed data included social security numbers, birth dates, addresses and driving licence numbers, as well as credit card numbers for about 209,000 US consumers and dispute documents with personal identifying information for another 182,000 US consumers.
It subsequently emerged that around 400,000 UK consumers and 100,000 Canadians were also affected by the breach.
Equifax reportedly holds data on more than 820 million consumers, as well as information on 91 million businesses.
Smith’s departure comes just over a week after the company announced chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and that Mark Rohrwasser and Russ Ayres would take over the roles with immediate effect.
Read more about the Equifax breach
- Heads roll as Equifax reveals 400,000 Britons affected by breach.
- Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems.
- Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
- While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.
Equifax shares fell 1.6% in early trading on Tuesday 26 September, and have fallen 27% since the company revealed the breach, according to CNBC.
Smith said in a statement: “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Equifax faces dozens of legal claims over the breach, including a class-action lawsuit by several US small businesses, representing millions of others affected by a breach of personal data
Feidler said in a statement: “The Board remains deeply concerned about and totally focused on the cyber security incident. We are working intensely to support consumers and make the necessary changes to minimise the risk that something like this happens again.”
He added that the board has formed a special committee to focus on the issues arising from the breach and make sure all appropriate actions are taken.
Paying attention to cyber security
The departure of the Equifax and Target executives in the wake of a serious data breach demonstrates the importance organisations’ boards paying attention to cyber security.
“Cyber risk management should run throughout the organisation,” said Lev Lesokhin, executive vice-president of strategy at software quality measuring company Cast Software.
“Developers today have too narrow a focus and do not consider the business implications of what they create,” he said.
According to Lesokhin, the Equifax breach highlights a shortage of talented developers who can keep up with business demand and tech complexity at the same time, creating further software risk.
But he believes the solution is not to rely on the ability to hire good developers so they write good software because there are not enough skilled developers to go around.
“We need to take our most senior developers, have them design the architectures for data protection, and then ensure these architectural constructs are followed by the developer plebiscite with every build,” he said.
Understanding the architecture of applications
A recent survey by Cast revealed only about half of developers understand the architecture of their overall application.
“This means the other half are working in silos and have little to no visibility into how their component can endanger the rest of the system,” said Lesokhin.
Equifax identified a known and patched vulnerability in the Apache Struts web application framework as the initial attack vector, but said the investigation is continuing and that more information would be released as it emerged.