By Dustin Volz and John McCrank
(Reuters) - Equifax Inc <EFX.N> said on Tuesday that Chief Executive Richard Smith would leave the company and forgo this year's bonus as criticism mounts over a massive cyber attack that has plunged the credit-monitoring firm into crisis.
Smith's departure is the latest development following Equifax's Sept. 7 disclosure of the breach, which has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.
Some observers said the move was a positive first step, though several U.S. senators looking into the cyber attack said the departure failed to remedy damage to the up to 143 million Americans whose data was compromised.
"A failure of this magnitude must have consequences," said Paul Rosenzweig, a former Department of Homeland Security official who advises companies on cyber security. "If the Equifax CEO had retained his job, cyber security would be seen as a joke everywhere in corporate America."
Equifax said in a regulatory filing that it might claw back some of Smith's compensation for this year, depending on results of the board's investigation into the breach, which the Atlanta-based company has said occurred between mid-May and July.
Smith is still eligible for $18.4 million in retirement benefits, regardless of the results of the internal probe.
The company's statement said that Smith, 57, had retired, though he and company representatives did not respond to requests to elaborate on the reason for his departure.
"At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward," Smith was quoted as saying in the statement.
The breach has already prompted the departures of Equifax's chief information officer and chief security officer, which were disclosed on Sept. 15.
Some corporate governance experts said the board's probe into the attack could lead to more changes at the helm of the company.
“The board of directors and leadership has to figure out how much damage has been caused and what needs to be done. Maybe someone on the board needs to be removed," said Brent Longnecker, head of compensation and corporate-governance consulting firm Longnecker & Associates.
Equifax shares closed nearly 1 percent higher at $106.05. They have fallen around 30 percent, losing about $4.5 billion in market value, since the attack was disclosed amid criticism from consumers, politicians and security experts over the company's response to the hack.
"The newly appointed Non-Executive Chairman states up front that the board is 'deeply concerned' about the cyber incident and he apologized directly for the breach," said Jaret Seiberg, an analyst with Cowen Group, in a note for investors.
"This is the type of mea culpa that plays well on Capitol Hill."
It is rare, but not unprecedented for a CEO to depart following a massive hack. Target Corp <TGT.N> CEO Gregg Steinhafel left the retailer in 2014 after a high-profile breach that exposed credit cards and data on tens of millions of shoppers.
In this case, Equifax and Smith agreed to let the company defer decisions related to "any obligations or benefits" owed to him until the board's review of the breach is complete.
Smith last year earned $14.96 million in total compensation.
The company named Paulino do Rego Barros, 61, who was most recently president of Equifax's Asia-Pacific operations, as interim CEO. Board member Mark Feidler was appointed non-executive chairman.
Smith has been called to testify at several congressional hearings. Several lawmakers, including Democratic U.S. Senators Elizabeth Warren and Sherrod Brown said they still expected Smith to appear.
"The American public deserves answers about what went wrong at Equifax and what the company plans to do going forward," Warren said in a statement.
A U.S. House Energy and Commerce Committee spokeswoman said Smith would still testify at an Oct. 3 hearing. A Senate Banking Committee spokeswoman said that panel's plans to hear from Smith on Oct. 4 have not changed.
An Equifax spokeswoman said the company would continue to cooperate with lawmakers.
Democratic Senator Mark Warner said at a Senate hearing on Tuesday that the situation at Equifax was a "travesty" and Smith's departure did not do enough to remedy the harm suffered by consumers.
"I question if Equifax even has the right to continue providing these services," said Warner, who co-chairs the Senate Cybersecurity Caucus.
Three Equifax executives, including the chief financial officer, are also under fire for selling $1.8 million in stock three days after the company said it detected the breach on July 29.
Equifax has said its executives were not aware of the breach when they sold their stock.
(Reporting by John McCrank in New York, Dustin Volz in Washinton; Additional reporting by Diane Bartz and Pete Schroeder in Washington, Ross Kerber in Boston, Supantha Mukherjee in Bengaluru; Editing by Sai Sachin Ravikumar, Meredith Mazzilli, Jim Finkle and Cynthia Osterman)