NEW YORK — Embattled Equifax CEO Richard Smith stepped down Tuesday, less than three weeks after the credit reporting agency disclosed a disastrous hack to its computer system that exposed the sensitive personal information of 143 million Americans.
His departure follows those of two other high-ranking executives who left in the wake of the hack, which exploited a software flaw that the company did not fix, exposing Social Security numbers, birthdates, and other personal data that provide the keys to identify theft.
Smith, who had been CEO since 2005, will also leave the chairman’s post. Equifax called his departure a retirement, but he will not receive his annual bonus and other potential retirement-related benefits until the company’s board concludes an independent review of the data breach.
Even if the review finds Smith at fault, he could walk away with a retirement package of at least $18.4 million, along with the value of the stock and options he was paid out over his 12-year tenure.
There is a possibility the board could ‘‘claw back’’ any cash or stock bonuses he may have received, but corporations typically set high thresholds for that type of action.
The 57-year-old executive, who made almost $15 million in salary, bonuses, and stock last year, would also be able to stay on the company’s health plan for life.
Paulino do Rego Barros Jr., most recently president of the Asia Pacific region, was named interim CEO.
Board member Mark Feidler was appointed nonexecutive chairman. Equifax said it will look both inside and outside the company for a permanent CEO.
Even with the departures of three top executives, Equifax is facing several state and federal inquiries and myriad class-action lawsuits, including congressional investigations, queries by the Federal Trade Commission and the Consumer Financial Protection Bureau, and probes by several state attorneys general. On Tuesday, the City of San Francisco became the first municipality to sue Equifax for exposing its residents to identity theft. The Commonwealth of Massachusetts sued Equifax last week.
Three other executives were found to have sold stock for a combined $1.8 million before Equifax disclosed the breach, though the company says they were unaware of it at the time.
Although Wall Street analysts had previously applauded Equifax’s performance under Smith, he and his management team came under fire for lax security and their response to the breach. Confusion over the terms of credit-monitoring protection and jammed phone lines added to public’s ire. The company’s stock has lost a third of its value — a $5.5 billion setback.
Equifax’s board clearly needed to deal with Smith, not only as a public show of penance for the breach but also for the company’s bungling since informing consumers their identities were in danger of being stolen, said Bart Friedman, a lawyer specializing in corporate governance issues.
‘‘This was like a five-alarm fire, and the lack of an appropriate response by management just poured gasoline on that fire,’’ Friedman said. ‘‘If you are sitting on that board, I don’t know how you could have permitted him to stay in his role. I have rarely seen such a botched response to an existential threat.’’
Equifax tried to appease incensed lawmakers, consumers, and investors by announcing the unceremonious retirement of its chief security officer and chief information officer last week, who were responsible for managing and protecting the company’s technology. But that wasn’t enough, with lawmakers drawing up bills that would impose sweeping reforms on Equifax and its two main rivals, Experian and TransUnion.
Smith had been scheduled to appear at two congressional hearings next week that would probably have turned into a public lambasting.
The House Energy and Commerce committee said in a tweet that it still plans to hold its hearing Oct. 3. A spokeswoman for the Senate Banking Committee said that panel’s Oct. 4 hearing remains scheduled as planned.