IRS Curbs Controversial $7 million Equifax Contract After Another Data Breach Alarm

For Equifax, the hits keep on coming and alarms keep on ringing. The credit scorer has temporarily lost a $7.2 million bridge contract with the Internal Revenue Service (IRS) amid worries it had been struck by yet another security breach.

The controversial no-bid contract quietly awarded on September 30 calls for Equifax to verify the identities of taxpayers setting up accounts to access their online records and transcripts under the IRS’s Secure Access program, Politico reported. Existing account holders are not affected by the temporary halt to the contract.

Equifax yesterday denied reports that its systems had been infiltrated by hackers, blaming a faulty credit report assistance link for prompting it to shut down a customer help page. Still, considering how the company neglected to adequately protect the personal information of some 145 million people in last May’s massive cyber attack, it’s no wonder any hint of a recurrence might spark nervous reactions from the IRS and customers and consumers as well.

"Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal," the company said. "The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis."

An IRS spokesperson also appeared to downplay the incident, describing the suspension as a "precautionary step as the IRS continues its review."

Terms of Engagement

Equifax’s agreement with the IRS to provide taxpayers with online fraud prevention services has been in jeopardy since July, or nearly two months before it disclosed the shocking data theft and came under fire for a seemingly indifferent response in the attack’s immediate wake. The agency had already granted the contract to a new vendor as the Equifax deal was set to expire but the credit bureau challenged the award, pushing a decision to the Government Accountability Office (GAO), The Hill reported. The current short-term arrangement with Equifax is intended to fill the gap in cyber security service until the GAO makes a determination on October 16.

Last week, Rep. John Ratcliffe (R-Texas), chairman of the House Homeland Security subcommittee on cybersecurity, called on the Department of Homeland Security (DHS) to revisit the contract between the IRS and Equifax.

"A multi-million dollar contract with a company that just recently displayed cybersecurity negligence of epic proportions is significantly degrading to public trust," Ratcliffe said in a statement posted on his website. "I urge DHS in the strongest possible terms to consider using the authorities granted from and the Cybersecurity Act to address this troubling development," he said.

But No Terms of Endearment

Lawmakers had previously heavily criticized the IRS’s decision to award the interim contract to Equifax.

"In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed," Senate Finance chairman Orrin Hatch (R-Utah) told Politico earlier this month.

However, the agency defended its decision, saying that Equifax had assured it no taxpayer data was involved in the heist.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.