EFF co-founder John Perry Barlow once said that asking the government to protect your privacy is like asking a peeping tom to install your window blinds. The Internal Revenue Service, it seems, has taken this warning as a recommendation.
With no apparent sense of irony, the nation’s tax collectors have awarded embattled credit-reporting agency Equifax a contract to assist the IRS in verifying “taxpayer identities” as well as assist in “ongoing identity verification and validations,” according to contract award posted to the Federal Business Opportunities database.
The no-bid contract, which pays $7.25 million, is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service—despite its involvement in potentially one of the most damaging data breaches in recent memory.
The contract, which was awarded on September 30th, was first reported Tuesday afternoon by Politico.
Equifax, of course, is facing intense criticism over a cybersecurity incident which reportedly compromised the personal information of roughly 145 million Americans. The company’s former CEO, Richard Smith, was taken to task on Tuesday while testifying before the House Energy and Commerce subcommittee. Smith resigned last week amid backlash over the company’s handling of the breach.
Republicans and Democrats alike lambasted the former chief executive over Equifax’s response. Representative Greg Walden was perhaps the harshest in his criticism: “I don’t think we can pass a law that fixes stupid,” he said. Walden further compared the breach to a robbery at Fort Knox, saying Equifax had “forgot to lock the doors and failed to notice the thieves were emptying the vaults.”
Smith said the breach was the result of both “human error and technology errors,” admitting the company failed to apply critical software patches in March. Despite learning of the breach in late July, the company waited more than 40 days to notify the public, a fact that incensed several of the lawmakers. Representative Gene Green said that the company ought to be “shut down,” comparing it to a restaurant that failed regular health inspections.
Asked if Equifax had any knowledge of who might’ve been behind the breach Smith said he had “no opinion” to share. “We’re engaged with the FBI,” he said. “That’s all I’ll say.”
Representative Debbie Dingell, who is cosponsoring a House bill that would require prompt notification by companies in the event of a breach, told Gizmodo that Equifax should not be awarded any federal contracts until more is known about the company’s handling of the incident.
“After questioning Equifax’s former CEO today, I am left with more questions than answers,” Dingell said. “We don’t know how this breach happened, who is responsible or what Equifax is doing to prevent a similar security lapse from happening in the future. Until we get those answers, Equifax should not be rewarded for reckless data protection with a $7.25 million IRS contract.”
Equifax did not immediately respond to a request for comment. An IRS spokesperson said the agency was preparing to address the contract with a statement but did not immediately have one available.
Update, 6:02pm: An IRS spokesperson sent Gizmodo the following statement regarding the Equifax contract:
As noted in public records, the short-term contract was awarded to Equifax to prevent a lapse in service during a protest on another contract. The service relates to assisting in ongoing identity validation needs of the IRS. Equifax
provided these identity proofing services to the IRS under a previous contract.
Equifax advised us that no IRS data was involved in their breach. Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems. At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.
Update, 8:00pm: Gizmodo has obtained a copy of a letter sent Tuesday evening by Rep. Earl Blumenauer to IRS Commissioner John Koskinen. In it, the congressman from Oregon demands an explanation for the Equifax contract.
Blumenauer, who sits on the House Ways and Means Committee, writes that he thought that his staff was “sharing a copy of The Onion” when he first read about the award.
“As I’m sure you are aware, Equifax is the firm that appears to have been grossly negligent in allowing a massive data hack of the personal information of 145 million Americans,” the letter says. “What’s more, this news was public in early September, giving your agency plenty of time to reevaluate this decision. As a result, I am shocked that the IRS would contract with this firm for activities that they are clearly unfit to carry out.”
You can read a full copy of Blumenauer’s letter below.