Video: Equifax teaches us what not to do after a data breach
Credit ratings firm Equifax may have botched the response to its huge data breach affecting 145 million US citizens, but that hasn't stopped the IRS from awarding it a multi-million dollar contract to verify the identity of taxpayers who now face a higher risk of identity theft due to the firm's security lapse.
The breach, which happened in May, was discovered in July, but only disclosed last month, gave hackers access to social security numbers, birth dates, addresses, driver's license numbers and credit-card information.
News of the IRS contract, first reported by Politico, emerged as Equifax execs were being grilled on Tuesday by members of the US House Committee on Energy and Commerce, Subcommittee on Digital Commerce and Consumer Protection.
The IRS awarded Equifax the deal on September 29 as a "sole source order", meaning no rivals were bidding for the work to "verify taxpayer identity" and "assist in ongoing identity verification and validations".
The IRS opted against a competitive process to cover the function as it works to resolve a dispute with the previous contractor.
"This is considered a critical service that cannot lapse," the IRS explains.
Equifax's former CEO, Richard Smith, who resigned over the breach, yesterday said he accepted responsibility for the incident.
He blamed "human error and technology" on Equifax's failure to identify it was running a vulnerable version of Apache Struts, despite having been notified by US-CERT of the issue in March.
Senate Finance Committee chairman Orrin Hatch (R-Utah) told Politico it was "irresponsible" for the IRS to have awarded the contract Equifax.
However, the IRS defended its decision to award the deal to Equifax.
"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," it said in a statement to Politico.
"At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."
ZDNet has contacted Equifax for comment on the contract and will publish its response.
Previous and related coverage
The ineptitude of Equifax following a data breach impacting 143 million people is galling. At least Equifax gave us a playbook for how not to handle a breach.
The credit rating firm said hackers exploited a bug on the company's website.
The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.