IRS Suspends Equifax Contract, Citing Security Concerns

The United States Internal Revenue Service (IRS) has suspended a contract granted to Equifax that allows the credit reporting firm to verify the identity of taxpayers following a number of high-profile security failures by the company.

The suspension comes on the heels of Equifax suffering from a security flaw that resulted in its website redirecting users attempting to freeze or challenge information on their credit report to adware.

The IRS issued a stop-work order to Equifax Thursday, temporarily suspending the company’s ability to provide its identity management contract. During the suspension, the IRS said it would review the security of Equifax’s systems and reassess its relationship with the firm going forward.

Because of the suspension, taxpayers will be unable to create new accounts for the IRS Secure Access service, which allows users to view and access online tax records and transcripts. If an individual wants to access their tax records, they will have to request the IRS mail the information to them.

Taxpayers visiting the Secure Access page will now receive an alert that informs them the Secure Access service "is unavailable for new users at this time." Existing users won’t have their access to information through the service disrupted during the suspension.

The IRS granted Equifax the $7.2 million short-term contract to provide its services just days after Equifax revealed it suffered a massive data breach that resulted in the exposure and theft of personal information of more than 145 million Americans. Included in the stolen data were Social Security numbers and, in some cases, credit card numbers.

Despite that breach, which Equifax failed to inform the public about for 40 days after discovering it, the IRS decided to move forward with the contract with the company, arguing that no IRS data was involved in the incident and the flaw in the company’s security system did not pose a threat to the services Equifax provides to the IRS.

Jeffrey Tribiano, the IRS deputy commissioner for operations, told Congress last week that the government agency was obligated to award Equifax the contract because of federal contracting rules that allowed the credit reporting firm to object to losing the contract to another company.

The IRS continued to emphasize that point again in a statement acknowledging the suspension of Equifax’s contract, stating there is “still no indication of any compromise of the limited IRS data shared under the contract.”

Equifax also attempted to maintain its relationship with the IRS in a statement issued Friday. "We remain confident that we are the best party to perform the services required in this contract. We are engaging IRS officials to review the facts and clarify available options," the company said.

The IRS made its decision to pull the contract from Equifax after it was discovered the company’s website was redirecting users to a malicious download that would install adware on the user’s machine.

Equifax said Thursday the incident was not the result of an issue on Equifax’s end and its website was not directly hacked. Instead, the redirect to adware was the result of a third-party vendor being compromised. Equifax took the website offline in response to the issue.