You won’t find it on the Equifax newsroom site. Nor the IRS’ webpage. But thanks to numerous published reports, we know the IRS has hired Equifax. The Equifax from which hackers obtained personal information on nearly 150 million Americans. The IRS awarded a contract to Equifax to verify taxpayer identities.
The $7 million, sole-source deal is part of the IRS’ anti-fraud program. The award came just as ousted Equifax CEO Richard Smith was in the congressional hot seat.
The contract also comes as Equifax announces the conclusion of the forensic investigation phase of the breach. Mandiant found an additional 2.5 million affected people. Now the grand total is 145.5 million.
So the IRS will use Equifax data to verify taxpayer-submitted information. It will use the very same data that’s probably for sale right now on the dark web. That means Equifax will enable the IRS to verify whoever submits the data first. For taxpayers, that’s like rushing home to beat a robber who also has a key to the house. And the alarm codes. And a copy of the house title.
A FedBizOpps post on the contract says the sole-source award “to cover the required timeframe needed to resolve the protest.” Turns out Experian Information Solutions received the award originally in July, before the Equifax breach became public. Equifax protested. So it looks as if this latest deal bridges the agency until the Government Accountability Office decides the protest later this month. Larry Allen, a regular Federal Drive guest and longtime GSA Schedule 70 consultant, says that would be his guess. Now that Equifax has become a pariah company, I’m wondering why the IRS didn’t simply continue with Experian if the agency has a critical need.
Whatever. The IRS has received predictable criticism from members of Congress, that font of continual outrage. Several are demanding to know how the IRS came to its decision and who else might have been able to perform the work. Politico reports the IRS was reassured by Equifax that the agency’s data was not involved in the breach. And that the agency “believes the service Equifax provided does not pose a risk to IRS data or systems.”
The government has many reasons to deny contracts and even eligibility for contracts. The Office of Federal Contract Compliance Programs can levy fines and debar companies for labor law violations. But you won’t find “careless with people’s personal information” among the reasons it can initiate an enforcement action.
Contractors can be held accountable if they fail to protect government information, but not data about commercial or personal customers.
It may be true, as the IRS says, there’s no relation between the contracted services and the Equifax breach. But it sends an odd message. The Washington word is “optics.” The award makes it look as if taxpayers are rewarding a company that was careless with data on millions. Ironically, IRS is trying to overcome a relentless wave of fraudulent returns that denies people millions in refunds. Now it’s doing business with the very company that might strengthen that wave.