In awarding a $7.25 million contract to Equifax to help verify US taxpayers’ identities, the Internal Revenue Service set itself up for a massive backlash. But in a letter obtained by Gizmodo on Thursday, IRS chief John Koskinen argues that the circumstance was unavoidable. Not awarding the contract, he writes, would have prevented thousands of hurricane victims from obtaining much needed…. tax information.
Koskinen’s letter was sent to Representative Earl Blumenauer, who raised concerns on Tuesday over a no-bid contract being awarded to a credit reporting agency at the center of a ruinous data breach. The contract was listed as a “sole source” acquisition, meaning it was the only company the IRS believed capable of doing the job. Blumenauer was one of the first respond, telling the IRS chief in a letter that, at first, he didn’t believe the news was real.
“As I’m sure you are aware,” wrote Blumenauer, “Equifax is the firm that appears to have been grossly negligent in allowing a massive data hack of the personal information of more than 145 million Americans.”
To a degree, Koskinen’s response does help clarify why the IRS would award such a controversial contract: Equifax filed a petition with the Government Accounting Office (GAO) in July after the IRS awarded it to another company. A decision hasn’t been reached and Equifax’s contract expired on September 30th. Without a decision from the GAO, the IRS was forced to enter, Koskinen says, into a “short-term contract with Equifax, which, as the current incumbent, is currently the only vendor that can provide identity authentication services to the IRS.”
In other words, without a decision from the GAO, the IRS has nowhere else to turn. According to the GAO’s website, an outcome is due in response to Equifax’s petition by October 16th.
Discontinuing Equifax’s services without a replacement, Koskinen argues, would force the agency to “shut down all online access to taxpayer accounts,” leaving anyone hoping to file returns before the October 16th extension deadline royally screwed. “Shutting down online access would also have impacted victims of Hurricanes Harvey, Irma, and Maria,” he says. “These taxpayers have an immediate need for tax information and may no longer have paper records on which to rely.”
Koskinen also notes that the IRS awarded another contract previously held by Equifax to a different company on October 1st. Equifax had previously been contracted to provide taxpayers with credit monitoring services; however, the contract was recently recompeted and then awarded to a new vendor. It’s not clear if Equifax was invited to bid on the contact. The IRS didn’t immediately respond to a request for comment.
According to Koskinen, the IRS conducted a “comprehensive internal review” and an “on-site inspection” at an Equifax facility following the breach, as well as an analysis of the compromised data—with the exception of data relating to 209,000 citizens. Much of the data, he said, appears “similar” to what was lost in the major data breaches at Target and at the insurance company Anthem.
(It’s worth noting, however, that only 70 million Targets customers and 80 million Anthem subscribers were affected in those breaches, as opposed to the 145 million affected at Equifax, although obviously the degree of overlap is unknowable.)
Strikingly, an IRS review, which was done in consultation with investigators at the US Treasury’s Inspector General’s office, found that “the risk to citizens… is no greater than what it was before the breach.” Added Koskinen: “Additionally, we have seen no indications of fraud related to Equifax, but we will continue to actively and closely monitor the situation.”
Blumenauer was not indifferent to the IRS’s position. “I appreciate that the IRS finds itself in a morass that Equifax created,” he told Gizmodo on Thursday. “My constituents, however, understand the merits here. Equifax has been grossly negligent and should lose this federal contract.”
Blumenauer is not the only lawmaker who has raised concerns over the contract. Yesterday, Representative John Ratcliffe asked the Department of Homeland Security to address the “troubling development” by using its authority to shore up the federal government’s cybersecurity efforts—the implication being that it was an unnecessary and avoidable risk handing a contract to a company accused of what he called “cybersecurity negligence of epic proportions.”