Former Equifax CEO Richard Smith, who stepped down after the breach, endured a bipartisan shaming Tuesday at a hearing of a House Energy and Commerce subcommittee. | Chip Somodevilla/Getty Images
The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.
The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.
A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.
The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.
Lawmakers on both sides of the aisle blasted the IRS decision.
“In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,” Senate Finance Chairman Orrin Hatch (R-Utah) told POLITICO in a statement.
The committee’s ranking member, Sen. Ron Wyden (D-Ore.), piled on: “The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
The IRS defended its decision in a statement, saying that Equifax told the agency that none of its data was involved in the breach and that Equifax already provides similar services to the IRS under a previous contract.
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement reads. “At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”
Equifax did not respond to requests for comment.
Equifax disclosed a cybersecurity breach in September that potentially compromised the personal information, including Social Security numbers, of more than 145 million Americans — data that security experts have described as the crown jewels for identity thieves. The company is one of three major credit reporting bureaus whose data determine whether consumers qualify for mortgages, auto loans, credit cards and other financial commitments.
The company has subsequently taken criticism for issuing confusing instructions to consumers, which contained language that appeared aimed at limiting customers’ ability to sue, as well as tweeting out a link to a fake website instead of its own security site. The Justice Department later opened a criminal investigation into three Equifax executives who sold almost $1.8 million of their company stock before the breach was publicly disclosed, Bloomberg has reported.
Former Equifax CEO Richard Smith, who stepped down after the breach, endured a bipartisan shaming Tuesday at a hearing of a House Energy and Commerce subcommittee. The full committee’s Republican chairman, Greg Walden of Oregon, proclaimed: “It’s like the guards at Fort Knox forgot to lock the doors.”
Reps. Suzan DelBene (D-Wash.) and Earl Blumenauer (D-Ore.) separately penned letters to IRS Commissioner John Koskinen demanding he explain the agency’s rationale for awarding the contract to Equifax and provide information on any alternatives the agency considered.
“I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true,” Blumenauer wrote.
The IRS, which has suffered its own embarrassing data breaches as well as a tidal wave of tax-identity fraud, has taken steps to improve its outdated information technology with the help of $106.4 million that Congress earmarked for cyber security upgrades and identity theft prevention efforts.
Hatch questioned the agency’s security systems in a letter to Koskinen last month. Hatch said he was concerned that the IRS lacked the technology necessary “to safeguard the integrity of our tax administration system.”