IRS suspends Equifax contract as ‘precautionary step’ following credit agency’s data breach

The Internal Revenue Service on Friday suspended its short-term contract with Equifax citing new information about the credit reporting agency, and suspending electronic authentication services for millions of taxpayers.

In a statement from IRS Spokesman Matthew Leas, IRS said it had temporarily suspended the identity-proofing services “as a precautionary step” while the agency reviews whether any taxpayer data was jeopardized as part of Equifax’s massive September data breach.

“Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts,” Leas said in a statement. “Although people can’t create new accounts, current Secure Access users aren’t affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.”

Leas said there is still no indication any IRS data was compromised as a result of the breach, which impacted more than 145 million people.

Advertisement

An Equifax spokeswoman said in a statement the company was notified by IRS Thursday that they had issued a stop-work order under their Transaction Support for Identity Management contract.

“We remain confident that we are the best party to perform the services required in this contract,” the spokeswoman said. “We are engaging IRS officials to review the facts and clarify available options.”

The contract suspension comes after widespread criticism when it was announced IRS had entered into a contract for e-authentication services with Equifax less than a month after the breach’s announcement.

 Rep. Earl Blumenauer (D-Ore.) told IRS Commissioner John Koskinen in a letter he was “shocked” the IRS would enter into a contract with a company “for activities that they are clearly unfit to carry out.”

Bipartisan members of the House Energy and Commerce Committee also sent a letter to IRS demanding details about the contract, because “the timing and nature of this IRS contract raises red flags given the recent breach at Equifax.”

Shortly after the contract announcement, IRS Deputy Commissioner for Operations Support Jeffrey Tribiano testified to Congress that IRS initially had two contracts with Equifax: one for credit monitoring and another for electronic authentication.

The credit monitoring contract was recompeted and awarded to a new vendor, Tribiano said. The IRS also awarded the e-authentication contract to a new vendor, but in July Equifax protested the decision.

“That’s under [the Government Accountability Office] right now for a decision about which way to go,” Tribiano said. “When we came down to Sept. 20, when the [current] Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those in need of it like in the hurricane disaster areas, or do a bridge contract with Equifax until GAO decides on the protest and we move forward.”

According to a statement from a GAO spokesman, obtained by Federal News Radio, “Congress gave agencies, like the IRS in this case, the tools to move forward under appropriate situations.”

“They appear to be electing not to use it,” the spokesman said.

GAO’s ruling on the protest is expected Monday, the last day of the 100-day time frame for auditors to rule on a protest from the day of its filing.

The short-term bridge contract is worth about $1.3 million for the first three months.

IRS Chief Information Officer Gina Garza testified at the same hearing as Tribiano and said IRS sent a team to Equifax to analyze the breach, and working with the Treasury Inspector General for Tax Administration went through the breach information before combing through each IRS application to determine whether anything was or could put the agency’s system at risk.

Garza said about 209,000 Social Security numbers were flagged as possibly being at a higher risk for foul play as a result of the breach, and so the agency is putting protections on those specific accounts.