"Did you know that you have programmers making more than some of their managers?, " the caller asked, quoting the specific people and their salaries.
It's not surprising that senior level IT staff would earn at, or even somewhat more than, mid-level managers. Smart CEOs understand that, so no apology or controversy there. However, had the caller drawn attention to issue that female staff in equivalent positions were consistently paid less than male counterparts, well then that's an "Oh, shite!" moment.
The CEO did know, acknowledged this, but declined to discuss the matter. Instead he asked who was on the phone, and how did they know the salaries of his employees.
Big mistake. Don't acknowledge anything potentially embarrassing, unless you're required to by law. The first thing the CEO should have said was: "Who is this?", and then he should have hung up.
However when he opened the package, he realized none of his employees was to blame. Instead, this was a drive given to an auditor that was verifying the accounting practices of the company.
Perhaps one of his employees is to blame after all. Who the hell provides thumb drives with data dumps to auditors? I've assisted in external audits (routine yearly audits for industry or SOX compliance), and what happens is that IT provides executive management with reports containing only specific columns conforming to a standard format, reports which specifically don't include personal identifiers or other attributes (like salary) that fall outside the scope of the audit. Executive management and legal review the reports and then hand them off to the auditor. The CEO didn't know what data had been handed off to the auditors?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho