IRS awards Equifax no-bid, $7.25 million contract after hack

Smith Collection Gado/Getty Images

reader comments
11

Just because your resume says you exposed the personal data, including Social Security numbers, of some 143 million Americans while practicing unsafe security, it doesn’t mean you can’t score a multi-million dollar contract with the Internal Revenue Service. That’s the case even if your name is Equifax and you’re being contracted by the IRS to “verify taxpayer identity” to combat fraud.

The $7.25 million no-bid contract to Equifax was posted the last day of the fiscal year, Saturday, on the government’s Federal Business Opportunities database. It was awarded Friday, three weeks after Equifax announced what Ars has described as “very possibly the worst leak of personal info ever.” According to the posting, Equifax will “assist in ongoing identity verification and validations” for the IRS.

The contract was a “sole source order.” That means the IRS has determined that Equifax was the only company deemed capable of performing the contract, according to Politico. The IRS, which did not immediately respond for comment, said in the contract posting that “this is considered a critical service that cannot lapse.”

According to the contract posting:

This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service.

Equifax, a credit reporting bureau, exposed a breathtaking amount of highly sensitive data to hackers—full names, Social Security numbers, birthdates, addresses, and, in some cases, driver license numbers. That’s the information that banks, insurance companies, and other businesses use to confirm that consumers are who they claim to be.

Richard Smith, the Equifax CEO at the time of the breach, apologized Tuesday for the hack while testifying before Congress. A series of costly delays and crucial errors caused the company to remain unprotected for months against one of the most severe Web application vulnerabilities in years, he said.

“The criminal hack happened on my watch… I take full responsibility,” he said. “I’m here today to say to each and every person affected by this breach I’m truly and deeply sorry for what happened.”