IRS puts Equifax contract on hold

The Internal Revenue Service has temporarily suspended its $7.25 million contract with Equifax after the company admitted to finding a malware link on its website on the heels of a data breach that exposed the personal information of approximately 146 million people in the U.S.

The IRS came under fire from members of Congress this month after the agency admitted it had signed a no-bid contract with the credit bureau to provide identity verification services for taxpayers despite recently suffering one of the biggest data breaches in history (see Lawmakers question IRS’s $7.25M no-bid contract with Equifax). A security researcher also found last week that a hacker had exploited a flaw on the company’s website to direct unsuspecting visitors to a link where they would download malware. Equifax took down the page, but the series of problems prompted the IRS to suspend its controversial contract with Equifax on Thursday.

“On October 12, the IRS notified us that they have issued a Stop-Work Order under our Transaction Support for Identity Management contract,” said a statement forwarded by an Equifax spokesperson. “We remain confident that we are the best party to perform the services required in this contract. We are engaging IRS officials to review the facts and clarify available options.”

The IRS said it was suspending the contract as “a precautionary step” in light of the new information.

“Following new information available, the IRS temporarily suspended its short-term contract with Equifax for identity proofing services,” said the IRS in a statement. “During this suspension, the IRS will continue its review of Equifax systems and security. The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract. The contract suspension is being taken as a precautionary step as the IRS continues its review. Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts. Although people can’t create new accounts, current Secure Access users aren't affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.”

The IRS has awarded a new long-term contract to an Equifax competitor, Experian, for protecting taxpayers from identity theft. Equifax protested the IRS's decision to the Government Accountability Office, but the GAO ruled in favor of the IRS’s decision to award the new contract to Experian while continuing to review the suspended short-term contract with Equifax. The IRS praised the GAO’s decision.

“We’re looking forward to the start of the new contract,” the IRS said in a statement Monday. “We will move as quickly as we can, but it will take some time to begin service under the new contract. We are continuing to assess the time frame for the new service. In addition, we continue to review the status of our short-term contract with Equifax, which was temporarily suspended last week.”

Source: Accounting Today

Lawmakers question IRS’s $7.25M no-bid contract with Equifax

Leaders of the Senate Finance Committee said they were “taken aback” to find out the Internal Revenue Service has recently signed a $7.25 million contract with Equifax for verifying taxpayer identities after the company admitted to a massive data breach exposing the personal information of approximately half of all Americans.

Senate Finance Committee chairman Orrin Hatch, R-Utah, and ranking member Ron Wyden, D-Ore., sent a letter Wednesday to IRS Commissioner John Koskinen asking about why the agency would award a contract to Equifax after the company exposed the private information of more than 145 million Americans. The senators are investigating the impact of the data breach on Americans and federal agencies, and they asked Koskinen to explain the IRS’s rationale for trusting the company to aid with combating identity theft.

“We were taken aback when it came to our attention that last week the IRS awarded Equifax a sole source contract worth over seven million dollars for ‘verify[ing] taxpayer identity and ... assist[ing] in ongoing identity verification and validations needs of the Service,’” they wrote.

They asked Koskinen to help them better understand the IRS’s new and existing contracts with Equifax, and requested information including a copy of the contract and details on the services Equifax will perform. They also wondered, “Why was this awarded as a sole source contract especially in light of the recent breach?” and asked what steps the IRS is taking to ensure that Equifax is protecting taxpayer information. They also asked for a copy of every active contract between the IRS and Equifax, and they want the information no later than Oct. 11, 2017.

Equifax’s former CEO, Richard Smith, who resigned last week amid the outcry over the data breach, testified before Congress Tuesday and blamed an employee for making the error. He repeatedly apologized, however, saying, “As CEO, I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down.”

Other lawmakers also reacted with shock at the deal, with one of them comparing it to an article on the satirical website the Onion. "It has come to my attention that on September 30th your agency awarded a sole source contract to Equifax to 'verify taxpayer identity' and 'assist in ongoing identity verification and validations,' I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true," wrote Rep. Earl Blumenauer, D-Ore., in a separate letter to Koskinen. "As I’m sure you are aware, Equifax is the firm that appears to have been grossly negligent in allowing a massive data hack of the personal information of 145 million Americans. What’s more, this news was public in early September, giving your agency plenty of time to re-evaluate this decision. As a result, I am shocked that the IRS would contract with this firm for activities that they are clearly unfit to carry out."

Rep. Susan DelBene, D-Wash., also sent a letter to Koskinen outlining her concerns. “I write with deep concern over the recently reported decision by the Internal Revenue Service (IRS) to award a no-bid contract to Equifax,” she wrote. “I must question the IRS’ decision to move forward with this contract in light of the ongoing investigations into these incidents, and the general fitness of this company as a federal government contractor to perform functions that are not unrelated to the massive failures outlined above. I request a prompt response on the reasoning behind this decision, as well as a comprehensive explanation of alternatives to this seemingly reckless use of taxpayer dollars.”

Source: Accounting Today