Credit reporting agency Equifax EFX, +0.73% said Tuesday its chairman and chief executive Richard Smith will retire, after a security breach at the company that potentially exposed about 143 million U.S. adults to identity theft.

Smith had spent 12 years in his role at Equifax. The company announced earlier this month that its chief information officer and chief security officer had also retired immediately. Equifax’s current board president of Asia Pacific, Paulino do Rego Barros, will serve as interim CEO, and current board member Mark Feidler will be non-executive chairman.

Smith won’t walk away empty-handed.

He won’t receive a “package” to retire, an Equifax spokesperson said. In 2016 and 2015 he had received bonuses of about $3 million a year, and depending on the company’s performance this year, he could have received a comparable amount, according Equifax filings. But he will not receive that award, by mutual agreement. And he will not receive severance pay, as his departure is by mutual agreement, the spokesperson said. If he had been removed from his position, he would have received severance of $5 million.

But Smith will still receive some $18.3 million in pension benefits. Under the company’s pension plan, he is entitled to that pension under any circumstance, the spokesperson said.

With that said, though, the company reached an agreement that could give Smith even more compensation; the Equifax spokesperson said Smith and Equifax’s board have agreed to defer decisions about the “characterization of his employment.” The board “retains the right to change the basis of his departure to a ‘for cause’ termination,” because the board of directors has formed a special committee to focus on the issues surrounding the cybersecurity incident.

Depending on what that committee finds, the company could change Smith’s departure to a termination, in which case he could be entitled to severance.

As retail goes online, these companies have moved to brick-and-mortar

Plus, Smith’s “award agreements are still outstanding,” the spokesperson said. That means Smith might retain the rights to millions of dollars in stock that have yet to vest, depending on the outcome of the internal review, said Jason Schloetzer, a professor at Georgetown’s McDonough School of Business.

The total amount of that “award” is “less than $20 million,” an Equifax spokesperson said.

Consumers have expressed concern not only about the breach, but how Equifax handled the aftermath.

Hackers went undetected in Equifax’s computer network for more than four months before its security team discovered the breach, according to a security firm, FireEye Inc. FEYE, +1.50%

As first reported by Bloomberg News, several Equifax executives sold their stock in the company after Equifax learned of the breach, but before it informed consumers.

The company discovered the breach July 29 and announced it Sept. 7, but those executives sold their stock, worth almost $2 million, on Aug. 1 and Aug. 2.

There were also many glitches for consumers who were trying to find out if their data had been breached. The website Equifax set up for consumers to check if they had been impacted didn’t immediately tell them whether or not they were.

Equifax also removed language from its terms of service, which originally stated that consumers who visited that website and enrolled in its credit monitoring service also waived their right to sue Equifax in a class-action lawsuit.

And many consumers received error messages when they attempted to “freeze” their credit report with Equifax, in an effort to protect their data from potentially being used to open lines of credit without their knowledge.

Identity theft can cost consumers hundreds of dollars and take years to clear up.