Former Equifax CEO Richard Smith’s retirement, just days before he was scheduled to testify over the huge data breach at court, has generated a lot of criticism. Although his resignation can be deemed as a positive reaction to the breach that reportedly exposed the details of some 143 million individuals, prosecutors are condemning it as not enough to make up for the “travesty”.
It’s thought that some 209,000 credit card numbers were compromised in the breach, with some belonging to U.K. customers. Reports suggest that Smith will be “keeping $18 million in pension benefits and possibly $30 million in stock options.”
Retiring to luxury?
One anonymous source apparently revealed that Smith had no intentions of leaving the company for at least another two years. The former CEO expressed wishes to stay and clear up the mess before retiring.
Even after the atrocity, Gladfy columnist Stephen Gandel reports that Smith will be leaving with £5.8 million in company bonuses on top of just under a £40 million fortune from stocks and retirement benefits accrued in the 12 years he worked as CEO.
Senator Elizabeth Warren released a statement calling for Smith to resurface and testify in Court over the data breach before retiring in luxury. Part of her statement reads:
“The American public deserves answers about what went wrong at Equifax and what the company plans to do going forward”
Equifax heavily criticised
Equifax is still facing heavy criticism for its alleged incompetence in managing the damage that resulted from the hacking. Its reportedly inadequate disclosure of the breach and controls over mitigating damage may have left millions of people at risk.
Ironically, many customers relied on Equifax to protect them from identity theft. Now, personal information belonging to millions in the U.K., U.S., and Canada are possibly in the hands of criminal and fraudsters.
Equifax’s strategy in responding to the calamity is one that is so common that it seems customary practice: (1) apologise; (2) tell customers that the company is taking the breach very seriously; (3) get rid of senior executives; and (4) offer victims a one year subscription to a credit monitoring service.
The importance of damage control and compensation
Whilst consumers may acknowledge and appreciate that companies are apologising and holding themselves accountable, when it comes to data breaches, the consumers themselves are the victims, and damage control, recovery and compensation remain very important.
One customer has already come forward to share his ordeal with a cybercriminal who reportedly contacted him by telephone, telling the individual he had all his information. A ransom was reportedly demanded from him.
Many argue that the typical offer of a year’s credit monitoring service ‘free of charge’ is further insult to injury. It’s now almost common knowledge that cybercriminals don’t always use the stolen data immediately, or may use stolen data to access other online accounts and platforms with the view to attacking victims from another angle.
Security consultant Frank Abagnale believes that cyber criminals may sit on the stolen data for at least two years before launching a “monumental cyber breach event”, making a one year credit monitoring service appear somewhat worthless.