Why Equifax won an IRS contract despite a massive hack

Caught between a rock and hacked place, the IRS awards Equifax a multi-million-dollar contract to avoid losing authentication services for up to two weeks.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Equifax Headquarters

The IRS awards Equifax a multi-million-dollar contract despite its recent, massive data breach.

Smith Collection/Gado/Getty Images

It looks like the US government still has faith in Equifax.

Three days before members of Congress blasted Equifax for mistakes related to its massive data breach, the IRS on Friday awarded the credit monitoring agency with a multi-million-dollar contract.

The IRS will pay Equifax $7.25 million to help verify taxpayer identity and validation for the government agency. 

The IRS already had enough trouble dealing with tax fraud, losing $5.8 billion to scammers in 2013. And if there's any company familiar with cybercrime, it's Equifax: It said last month a breach of its network security allowed hackers to make off with the personal information for 145.5 million Americans. The hack included names, Social Security numbers, addresses and birthdays.

Watch this: Former Equifax CEO apologizes to Congress, blames hack on human error

The contract, first reported by Politico, was posted to the Federal Business Opportunities database on Saturday. It describes the agreement as a "sole source order," calling Equifax's help a "critical service."

When it comes to credit monitoring, there are really only three major names in the US: Equifax, Experian and TransUnion. Experian has also suffered a breach. It was initially unclear why the IRS went with Equifax. Both Equifax and the IRS didn't respond to requests for comment.

During a House Ways and Means committee hearing on Wednesday, however, the IRS explained it had to extend the contract with Equifax, as it was caught between a rock and a hacked place.

The IRS actually awarded its authentication service contract to another company in July, Jeffrey Tribiano, the agency's deputy commissioner for operations support told members of Congress. 

Equifax protested losing the contract to the US Government Accountability Office on July 7, according to documents. The office will decide on the protest by October 16. Until then, the IRS could not move onto its new partner. 

That meant that when the IRS' old contract with Equifax was supposed to expire on Friday, Tribiano said, millions of Americans would not have been able to verify their identity with the agency for more than two weeks. 

"When the Equifax contract expired, we had to either stop the service, or do a bridge contract with Equifax until GAO decides on the protest," Tribiano said.

So the IRS coughed up $7 million, thanks to Equifax's protest bid filed about three weeks before the company learned it was hacked.

While the IRS is willing to trust Equifax again, several members of Congress spent up to three hours criticizing the company for its data breach during a House Committee on Energy and Commerce hearing on Tuesday.

Former CEO Richard Smith, who oversaw Equifax during the hack, apologized for the breach and blamed the issues on a single person and a software scanner that failed to find vulnerabilities.

"I'm tired of hearing that almost every month, there's another security breach," Rep. Joe Barton, a Republican from Texas, said during Smith's testimony.

Smith was also criticized for leaving the company with a "golden parachute," getting $18.4 million in pension benefits after Equifax's data disaster.

"If fraudsters destroy my constituents' savings and financial futures, there is no golden parachutes awaiting them," said Rep. Ben Lujan, a Democrat from New Mexico.

Even after facing the scorn of several lawmakers, the government is still spending taxpayers' money on Equifax. Rep. Paul Tonko, a Democrat from New York, said he was "deeply disturbed" to see the IRS awarding the contract to Equifax after all the controversy surrounding the company.

Rep. Earl Blumenauer, a Democrat from Oregon, demanded answers from the IRS commissioner on Tuesday. 

"I am shocked that the IRS would contract with this firm for activities that they are clearly unfit to carry out," Blumenauer wrote in a letter to the commissioner. 

First published on Oct. 3 at 6:17 p.m. PT.
Updated on Oct. 4, 8:19 a.m. PT: Adds details on why Equifax won the contract.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.