Equifax is a consumer credit reporting firm based in Atlanta, Georgia, the oldest of the three largest U.S. credit agencies (the other two are Experian and TransUnion). Founded in 1899, Equifax gathers and maintains information on over 800 million consumers and more than 88 million businesses worldwide.
On July 29, 2017, Equifax discovered that some time in May, someone(s) hacked into its online databases and stole the names, birth dates, Social Security numbers, addresses and driver’s license numbers of 143 million consumers in the United States — data that security experts have described as the crown jewels for identity thieves.
But Equifax kept this discovery quiet for 39 days before finally informing the public about it on September 7, 2017, admitting that 209,000 U.S. credit card numbers are also breached, as well as “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
After the company made known the breach, Equifax issued confusing instructions to consumers, which contained language that appeared aimed at limiting customers’ ability to sue. The company also tweeted out a link to a fake website instead of its own security site.
The Justice Department has also opened a criminal investigation into three Equifax executives — John Gamble, Rodolfo Ploder and Joseph Loughran — who sold almost $1.8 million of their company stock before the breach was publicly disclosed. See “Equifax executives sold $2M of their company shares 37 days before informing public of data breach“.
And yet, the IRS has seen fit to award Equifax a $7.25 million fraud-prevention contract — $7.25 million of taxpayers’ money!
Steven Overly and Nancy Scola report for Politico, Oct. 3, 2017, that a contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year.
According to the no-bid contract, the IRS will pay Equifax $7.25 million to help prevent fraud at the IRS by assisting in verifying taxpayer identity even as Congress is investigating Equifax for its massive security breach that exposed the personal information of as many as 145.5 million Americans.
A no-bid contract means that the IRS deems Equifax to be a “sole source order” — the only company capable of providing the service. The contract award was issued to prevent a lapse in identity checks while IRS officials resolve a dispute over a separate contract.
The IRS, which has suffered its own embarrassing data breaches as well as a tidal wave of tax-identity fraud, has taken steps to improve its outdated information technology with the help of $106.4 million that Congress earmarked for cybersecurity upgrades and identity theft prevention efforts. In a letter to IRS Commissioner John Koskinen, Senate Finance Chairman Orrin Hatch (R-Utah) questioned the agency’s security systems and said he was concerned that the IRS lacked the technology necessary “to safeguard the integrity of our tax administration system.”
Lawmakers on both sides of the aisle blasted the IRS decision:
- Senate Finance Chairman Orrin Hatch (R-Utah) said in a statement: “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,”
- Senate Finance Comittee ranking member Ron Wyden (D-Ore.) said: “The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
The IRS defended its decision in a statement:
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems. At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”