Despite having been the object of a massive security breach this summer, which exposed the personal information of as many as 145.5 million people in the United States, the Equifax credit-scoring company has been awards $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract with the IRS. Posted on the Federal Business Opportunities database on the final day of the fiscal year -- Sept. 30 — , the award will pay the controversial credit agency federal funds to "verify taxpayer identity" and "assist in ongoing identity verification and validations" at the IRS.
According to the notice at Federal Business Opportunities, the Equifax contract is a "sole source order," which means that Equifax is the only company that the federal government has deemed worthy of providing the essential service. Moreover, the notice said that the sole source order was issued to prevent a lapse in identity checks while federal bureaucrats resolve a dispute over a separate contract.
Reaction to the award was bipartisan. Senate Finance Chairman Orrin Hatch (R-UT) told POLITICO, "In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed."
Speaking for the Democrats was Sen. Ron Wyden of Oregon, who said, "The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
On Tuesday, Equifax's former CEO Richard Smith testified before Congress about the breach at the credit company. While the company had previously claimed that it was breached on May 13, first discovered the problem on July 29, and notified the public on September 7, Smith testified that he first heard about "suspicious activity" in a customer-dispute portal on July 31. He then hired cybersecurity experts from the law firm King & Spalding to investigate the breach on August 2. Smith claimed that, at that time, there was no indication that any customer's personally identifying information (PII) had been compromised. After repeated questions from lawmakers, Smith admitted he never asked at the time whether PII being affected was even a possibility.
Smith further testified that he didn't ask for a briefing about the "suspicious activity" until August 15, almost two weeks after the special investigation began and 18 days after the initial notice. He maintained that he did not have complete information on August 17. "I did not know the size, the scope of the breach," he told the committee. Smith told the presiding director of Equifax's board on August 22, while the board of directors was briefed on August 24 and 25. “The picture was very fluid," Smith said. "We were learning new pieces of information each and every day. As soon as we thought we had information that was of value to the board I reached out."
Speaking before the House Energy and Commerce Committee, Smith said: "As CEO I was ultimately responsible for what happened on my watch. To each and every person affected by this breach, I am deeply, deeply sorry that this occurred." Critics say that the breach could have been easily prevented by a simple software update and encryption of clients' data, instead of storing it in plaintext.