The IRS will pay Equifax $7.25 million to verify taxpayer identities and validation for the government agency under a no-bid contract issued on September 29, three days before a Congressional hearing in which legislators questioned Equifax's former CEO Richard Smith about the company's response to a data breach of 145.5 million people's personal information. Members of Congress admonished Smith for the company's oversight; the company had initially disclosed that 143 million people had been affected by the data breach. Members of Congress also tore into Smith for accepting $18.4 million in pension benefits after the fiasco. The Justice Department also opened an investigation into Equifax executives who sold almost $1.8 million of their company stock before the breach became public knowledge.
According to a contract award for Equifax's data services which appeared on the Federal Business Opportunities database on September 30 (the last day of the fiscal year), credit agency will "verify taxpayer identity" and "assist in ongoing identity verification and validations" at the IRS. The notice describes the contract as a "sole source order," which means the IRS believes Equifax is the only company deemed capable of providing the service.
Lawmakers leveled stinging criticism at the IRS for its decision.
"In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed," Senate Finance Chairman Orrin Hatch (R-Utah) told Politico in a statement.
Senator Ron Wyden (D-OR), the committee's ranking member, said: "The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”
In a statement, the IRS defended its decision. "Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the statement reads. "At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."
Equifax could not be reached for comment.