EFF co-founder John Perry Barlow once said that asking the government to protect your privacy is like asking a peeping tom to install your window blinds. The United States’ Internal Revenue Service, it seems, has taken this warning as a recommendation.
Former Equifax CEO Richard Smith testifying before the House Energy and Commerce subcommittee on Tuesday. (Photo: AP)
With no apparent sense of irony, the nation’s tax collectors have awarded embattled credit-reporting agency Equifax a contract to assist the IRS in verifying “taxpayer identities” as well as assist in “ongoing identity verification and validations,” according to contract award posted to the Federal Business Opportunities database.
The no-bid contract, which pays $US7.25 million ($9.25 million), is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service — despite its involvement in potentially one of the most damaging data breaches in recent memory.
The contract, which was awarded on September 30th, was first reported Tuesday afternoon by Politico.
Equifax, of course, is facing intense criticism over a cybersecurity incident which reportedly compromised the personal information of roughly 145 million Americans. The company’s former CEO, Richard Smith, was taken to task on Tuesday while testifying before the House Energy and Commerce subcommittee. Smith resigned last week amid backlash over the company’s handling of the breach.
Republicans and Democrats alike lambasted the former chief executive over Equifax’s response. Representative Greg Walden was perhaps the harshest in his criticism. “I don’t think we can pass a law that fixes stupid,” he said. Walden compared the breach to a robbery at Fort Knox, saying Equifax had “forgot to lock the doors and failed to notice the thieves were emptying the vaults.”
Smith said the breach was the result of both “human error and technology errors,” admitting the company failed to apply critical software patches in March. Despite learning of the breach in late July, the company waited more than 40 days to notify the public, a fact that incensed several of the lawmakers. Representative Gene Green said that the company ought to be “shut down,” comparing it to a restaurant that failed regular health inspections.
Asked if Equifax had any knowledge of who might’ve been behind the breach Smith said he had “no opinion” to share. “We’re engaged with the FBI,” he said. “That’s all I’ll say.”
Representative Debbie Dingell, who is cosponsoring a House bill that would require prompt notification by companies in the event of a breach, told Gizmodo that Equifax should not be awarded any federal contracts until more is known about the company’s handling of the incident.
“After questioning Equifax’s former CEO today, I am left with more questions than answers,” Dingell said. “We don’t know how this breach happened, who is responsible or what Equifax is doing to prevent a similar security lapse from happening in the future. Until we get those answers, Equifax should not be rewarded for reckless data protection with a $US7.25 ($9) million IRS contract.”
Equifax did not immediately respond to a request for comment. An IRS spokesperson said the agency was preparing to address the contract with a statement but did not immediately have one available.