Equifax lands $7.25m IRS fraud prevention contract despite its mammoth data breach

Equifax wins an uncontested contract with the IRS, even after its controversial handling of one of the worst data breaches in recent US history.

Video: Equifax teaches us what not to do after a data breach

Video: Equifax teaches us what not to do after a data breach

Credit ratings firm Equifax may have botched the response to its huge data breach affecting 145 million US citizens, but that hasn't stopped the IRS from awarding it a multi-million dollar contract to verify the identity of taxpayers who now face a higher risk of identity theft due to the firm's security lapse.

The breach, which happened in May, was discovered in July, but only disclosed last month, gave hackers access to social security numbers, birth dates, addresses, driver's license numbers and credit-card information.

News of the IRS contract, first reported by Politico, emerged as Equifax execs were being grilled on Tuesday by members of the US House Committee on Energy and Commerce, Subcommittee on Digital Commerce and Consumer Protection.

The IRS awarded Equifax the deal on September 29 as a "sole source order", meaning no rivals were bidding for the work to "verify taxpayer identity" and "assist in ongoing identity verification and validations".

The IRS opted against a competitive process to cover the function as it works to resolve a dispute with the previous contractor.

"This is considered a critical service that cannot lapse," the IRS explains.

Equifax's former CEO, Richard Smith, who resigned over the breach, yesterday said he accepted responsibility for the incident.

He blamed "human error and technology" on Equifax's failure to identify it was running a vulnerable version of Apache Struts, despite having been notified by US-CERT of the issue in March.

Senate Finance Committee chairman Orrin Hatch (R-Utah) told Politico it was "irresponsible" for the IRS to have awarded the contract Equifax.

However, the IRS defended its decision to award the deal to Equifax.

"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," it said in a statement to Politico.

"At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."

ZDNet has contacted Equifax for comment on the contract and will publish its response.


The IRS opted against a competitive process because it needs the work to be covered while it works to resolve a dispute with the previous contractor.

Image: Getty Images/iStockphoto

Previous and related coverage

Equifax's big fat fail: How not to handle a data breach

The ineptitude of Equifax following a data breach impacting 143 million people is galling. At least Equifax gave us a playbook for how not to handle a breach.

Massive Equifax data breach exposes as many as 143 million customers

The credit rating firm said hackers exploited a bug on the company's website.

Equifax blames open-source software for its record-breaking security breach: Report

The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.

Read more about data breaches