On 4 October 2017, Internal Revenue Service officials faced questions during testimony before a U.S. House Ways and Means subcommittee to explain why the agency approved a $7.2 million dollar contract for identity verification services to Equifax on 29 September, despite the company's disclosure weeks earlier that it had suffered a massive security breach exposing sensitive personal data on as many as 145 million Americans.
"So, more than 20 days had passed since we learned of the greatest data breach in history, and you just signed a contract to pay Equifax to have access to IRS data for identity verification purposes. Did you approve and sign that contract?" Rep. Jackie Walorski (R-Indiana) asked IRS Chief Information Officer Gina Garza and Deputy Commissioner for Operations Support Jeffrey Tribiano. They said they had not.
Walorski characterized the contract award, first reported by Politico on 3 October, as an "abject failure" on the part of the IRS leadership:
The American people are sitting there this morning saying, "This is beyond abject failure, this is a management failure." If nothing, it shows that the IRS structurally needs some reform and needs major change. This is why the American people hold us accountable, and we try to hold you accountable, and then we have contracts being signed right in the middle of these investigations of the biggest data breach in the history of this country, exposing a massive amount of Americans now to identity theft.
Nor was she alone in her criticism of the arrangement. Sen. Mark Warner of Virginia tweeted:
Unbelievable. I can think of 145 million reasons why the IRS should have thought twice about this. https://t.co/cxQ1CzAoT5
— Mark Warner (@MarkWarner) October 3, 2017
Sen. Jeff Merkley of Oregon tweeted:
Seriously?! Have the people who awarded this contract been living under a rock for the last month?? https://t.co/xpWBDoOgiZ
— Senator Jeff Merkley (@SenJeffMerkley) October 4, 2017
Several senators jointly penned a letter urging IRS Commissioner John Koskinen to rescind the Equifax contract, which had been approved on a "sole source" (no-bid) basis and called on the company to provide services "to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service."
In the House hearing, Deputy Commissioner Tribiano described the 29 September contract as a stopgap measure to prevent the interruption of critical IRS functions. Equifax had been supplying identify verification services to the IRS for some time when officials decided earlier this year to go with a different provider, Tribiano said. However, Equifax challenged the switch, which meant it would have to be reviewed by the Government Accountability Office (GAO) before any new contract could take effect:
We had to either, one, stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it — like in the hurricane disaster areas, they use those tools to get their transcripts — or do a bridge contract with Equifax until GAO decides on the protest, and we move forward.
Chief information officer Girza said the IRS sent inspectors to make sure no IRS data was compromised in the Equifax breach and better safeguards were in place after the incident was reported, but Congressional disapproval remained high the day after the House subcommittee hearing, with Senators and House members of both parties calling for a review of the chain of events that led to the awarding of the contract.