Just hours after Equifax CEO Rick Smith wrapped up his testimony before the House Energy and Commerce committee – the first in a series of Congressional “fact-finding missions” about the hack - Politico reported that the IRS last week awarded the disgraced credit monitoring bureau with a $7.25 no-bid contract even as the company struggled to address suspicions that it mislead investors and customers by withholding information about one of the most damaging data breaches in US history.
Equifax famously waited more than a month to disclose that hackers had infiltrated its servers and absconded with the sensitive financial information of more than 140 million customers, sparking widespread outrage that only intensified after reporters discovered that several of the company’s senior executives – including its CFO – cashed out of shares and options in the weeks before the company came clean about the hack.
According to the terms of the IRS contract, Equifax would be responsible for verifying taxpayer identities and help prevent fraud under a no-bid contract issued last week.
As if the IRS's decision to entrust the disgraced credit bureau with sensitive taxpayer data wasn't galling enough, the agency seemingly fast-tracked the contract by classifying it as a “sole source order” – a designation that allows the agency to circumvent the bidding process by claiming a given vendor is the only one capable of executing the contract. However, the agency's justification for this designation is baffling, considering that there are two other credit bureaus in the US that offer a nearly identical suite of services.
The notice describes the contract as a "sole source order," meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.
Lawmakers from both parties demanded an explanation from the agency, which has endured several memorable data-security lapses – including a 2015 breach that exposed the sensitive financial information of more than 100,000 taxpayers.
Reps. Suzan DelBene (D-Wash.) and Earl Blumenauer (D-Ore.) separately penned letters to IRS Commissioner John Koskinen demanding he explain the agency's rationale for awarding the contract to Equifax and provide information on any alternatives the agency considered. "I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true," Blumenauer wrote.
Senate Finance Committee Chairman Orrin Hatch criticized the agency’s decision as “irresponsible.”
"In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed," Senate Finance Chairman Orrin Hatch (R-Utah) told POLITICO in a statement.
Hatch raised concerns about the IRS’s cybersecurity practices in a letter sent to the agency’s head last month. To help the agency improve its data-security safeguards, Congress recently allocated $106.4 million to bolster the agency’s identity theft protections.
Hatch questioned the agency's security systems in a letter to Koskinen last month. Hatch said he was concerned that the IRS lacked the technology necessary "to safeguard the integrity of our tax administration system."
Ron Wyden said the Finance Committee would seek to verify whether Equifax was really the only company capable of executing the contract, as the agency insisted.
The committee's ranking member, Sen. Ron Wyden (D-Ore.), piled on: "The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
In defending its decision, the IRS claimed that Equifax said that none of its data was involved in the data breach.
The IRS defended its decision, saying Equifax has told the agency that none of its data was affected by the breach. The agency also noted that Equifax already provides “similar services” to the agency under a different contract.
"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the statement reads. "At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."
Given that Equifax waited more than a month to disclose the hack to the public – and has bungled seemingly every step in its response to the hack - the fact that the IRS justified its decision by, in effect, saying "they told me everything is fine" is hardly reassuring. As Yahoo demonstrated just last night, the true scope of cyber-security intrusions sometimes takes years to uncover, which is precisely why sticking with Equifax is a risky. Yahoo, of course, revealed yesterday that a 2013 data breach impact all 3 billion of the company’s user accounts – three times the one billion accounts previously reported by the company.
As lawmakers have suggested, when determining which companies should be trusted to safeguard tax payers' most sensitive financial data, the agency should've erred on the side of caution.