Shortly after we all learned of a massive security breach at Equifax in which the personal information of 143 million 145.5 million Americans and sundry Brits and Canadians was plundered by hackers, the US Internal Revenue Service awarded Equifax a no-bid contract – to provide identity verification services for the tax authority.
The tech contract was awarded on September 29, the same month the network intrusion was revealed, and will be worth $7,251,968 to the troubled credit reporting agency. The fact that the deal was signed off after the news of the massive security failure broke last month suggests someone at the IRS either doesn't pay attention to the headlines, or just doesn't care one way or the other.
People's social security numbers, used by the IRS to identify folks, were among the private information left unencrypted on accessible servers and then stolen from Equifax. Which is now being paid to identify US taxpayers. That totally makes sense.
"This action was to establish an order for third party data services from Equifax to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service," the IRS contract notification, dated September 30, stated.
"A sole source order is required to cover the timeframe needed to resolve the protest on contract TIRNO-17-Z-00024. This is considered a critical service that cannot lapse."
Sole Equifax security worker at fault for failed patch, says former CEOREAD MORE
Then again, the IRS has form with crap IT security. In 2015, the tax agency admitted about 100,000 US citizens had had their personal information slurped from its servers by miscreants, so it may feel right at home dealing with the klutzes at Equifax.
On Tuesday, Equifax's former CEO Richard Smith faced a mild grilling from American politicians over the company's woeful handling of the database breach. Smith blamed the entire hack on a single staffer who knew about a flaw in Apache Struts that the hackers exploited to break in but who didn’t insist the IT department patch to protect systems.
Not that he looked too bothered, sitting before a US House energy and commerce subcommittee. Smith, along with the credit agency's CIO and CSO, haven't been fired but instead have simply resigned, er, retired and floated away on their golden parachutes. Smith himself got a payoff of about $90m after his incompetence put most of the adult population of America at risk of identity theft. ®