On Tuesday, members of Congress took turns using former Equifax CEO Richard Smith as a rhetorical punching bag during a hearing on the security breach that affected 145.5 million people.
But just days before, the Internal Revenue Service awarded the credit reporting company a contract worth $7.25 million. The contract, announced on Sept. 30 via the Federal Business Opportunities database, is for Equifax to help the IRS identify taxpayers and prevent fraud.
The tax agency needed to outsource this work because it’s handling a dispute on a different contract that affects its ability to fulfill these duties. The deal provides the IRS with “a critical service that cannot lapse,” according to the agency’s notification on the database.
However, it appears that Equifax was the only company that the IRS considered to handle these responsibilities, since the notice describes the arrangement as a “sole source order”—a type of contract in which the hiring body does not consider multiple applicants. Equifax’s careless approach to software security patches allowed hackers to penetrate its web application, so who knows what criteria the IRS was using.
The partnership between the IRS and Equifax, which have both been hit by high-profile data breaches, received bipartisan flak from Senate and House members. Politico, which first spotted the contract, obtained a letter to IRS Commissioner John Koskinen from Oregon Rep. Earl Blumenauer. It read, in part, “I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true.” Senate Finance Chairman Orrin Hatch told reporters that “it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed.” New Mexico Sen. Martin Heinrich tweeted, “Equifax needs a lesson in fraud protection, not the other way around.”
In a statement to Politico, the IRS said: “Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems. At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”
Slate reached out to an Equifax representative, but we have not yet received a response.