IRS puts Equifax contract on hold
The Internal Revenue Service has temporarily suspended its $7.25 million contract with Equifax after the company admitted to finding a malware link on its website on the heels of a data breach that exposed the personal information of approximately 146 million people in the U.S.
The IRS came under fire from members of Congress this month after the agency admitted it had signed a no-bid contract with the credit bureau to provide identity verification services for taxpayers despite recently suffering one of the biggest data breaches in history (see Lawmakers question IRS’s $7.25M no-bid contract with Equifax). A security researcher also found last week that a hacker had exploited a flaw on the company’s website to direct unsuspecting visitors to a link where they would download malware. Equifax took down the page, but the series of problems prompted the IRS to suspend its controversial contract with Equifax on Thursday.
“On October 12, the IRS notified us that they have issued a Stop-Work Order under our Transaction Support for Identity Management contract,” said a statement forwarded by an Equifax spokesperson. “We remain confident that we are the best party to perform the services required in this contract. We are engaging IRS officials to review the facts and clarify available options.”
The IRS said it was suspending the contract as “a precautionary step” in light of the new information.
“Following new information available, the IRS temporarily suspended its short-term contract with Equifax for identity proofing services,” said the IRS in a statement. “During this suspension, the IRS will continue its review of Equifax systems and security. The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract. The contract suspension is being taken as a precautionary step as the IRS continues its review. Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts. Although people can’t create new accounts, current Secure Access users aren't affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.”
The IRS has awarded a new long-term contract to an Equifax competitor, Experian, for protecting taxpayers from identity theft. Equifax protested the IRS's decision to the Government Accountability Office, but the GAO ruled in favor of the IRS’s decision to award the new contract to Experian while continuing to review the suspended short-term contract with Equifax. The IRS praised the GAO’s decision.
“We’re looking forward to the start of the new contract,” the IRS said in a statement Monday. “We will move as quickly as we can, but it will take some time to begin service under the new contract. We are continuing to assess the time frame for the new service. In addition, we continue to review the status of our short-term contract with Equifax, which was temporarily suspended last week.”