US credit report giant Equifax has replaced two senior staff after revealing last week it had suffered a massive data breach.
Data on up to 143 million Americans, about 400,000 Britons and a number of Canadians may have been stolen by hackers between mid-May and July.
The chief information officer and chief security officer have both stood down.
Equifax faces dozens of legal claims over the breach, which the US Federal Trade Commission is investigating.
Social security numbers, birth dates, addresses and driving licence numbers for up to 143 million Americans were exposed, the Atlanta-based firm says.
Credit card numbers for about 209,000 Americans and “certain dispute documents with personal identifying information” for some 182,000 Americans were also accessed by the hackers, it adds.
Lenders use data amassed by firms like Equifax to assess the credit worthiness of customers seeking to acquire houses, cars and credit cards.
Susan Mauldin, chief security officer, retired and was replaced by Russ Ayres in an interim role, while chief information officer David Webb left and was replaced by Mark Rohrwasser in an interim capacity, the firm said.
The changes, made as part of the firm’s review of the cyber security incident breach, were “effective immediately”, Equifax said in a statement.
The company added that its external investigation was ongoing and it was working closely with the FBI in its criminal probe.
Equifax holds data on more than 820 million consumers as well as information on 91 million businesses.
Its share price has fallen by more than a third since it revealed the breach on 7 September, Reuters news agency reports.
US Senator Elizabeth Warren, who has built up a reputation as a consumer champion, is demanding to know how the firm’s security systems failed.
“Equifax has failed to provide the necessary information describing exactly how this happened, and exactly how your security systems failed,” she said in a letter to the company.
“Equifax’s initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights.”
The credit rating firm’s chief executive, Richard Smith, has openly apologised for the breach and will testify at a House Energy and Commerce Committee hearing in the US Congress on 3 October.