IRS suspends Equifax contract following malware page

The IRS suspended a $7.25 million contract with Equifax following news that one of the credit reporting service’s web pages exposed users to potential malware attacks.

The agency had already been taking heat from lawmakers over awarding the contract—which called on the company to provide taxpayer identity verification services—following the disclosure that a hack had exposed the information if 145.5 million people.

Reports emerged on Oct. 12 that an Equifax webpage contained fake Adobe Flash update links that would deliver malware to any user who clicked on them. Equifax later took the webpage down.

Late on Oct. 12, the IRS said that it was temporarily suspending the contract, a move applauded by lawmakers.

“After sending a bipartisan letter to Commissioner Koskinen expressing our concerns, we are pleased to see the IRS suspend its contract with Equifax and look forward to the agency’s response to our inquiries,” House Energy and Commerce Committee Chairman Rep. Greg Walden, R-Ore., and Subcommittee on Digital Commerce and Consumer Protection Chairman Rep. Bob Latta, R-Ohio, said in a joint statement.

IRS officials argued prior their hand was forced on the awarding of the sole-source contract because Equifax, the incumbent contractor on a previous deal, had protested the July decision to give it to another vendor.

The protest was being evaluated by the Government Accountability Office, but IRS officials told Congress that they were concerned that the contract could expire before a resolution could be made, jeopardizing the functionality of the e-verify service for users.

Jeffery Tribiano, IRS deputy commissioner for operations support, told the House Ways and Means Committee that as a result of Equifax’s protest, the agency’s only option was to effectively renew the no-bid contract with the Atlanta-based company.

“So when we came down to Sept. 29 when the Equifax contract expired, we had to either stop the service, which means millions of taxpayers would not be able to get their transcripts, including those that are in need of it, like in the hurricane disaster areas they use those tools to get their transcripts, or do a bridge contract with Equifax until GAO decides on the protest and we move forward,” he said.

But the GAO told Politico on Oct. 5 that the IRS did not have to award the contract to Equifax, explaining that federal agencies possess “the tools to move forward under appropriate situations.”

GAO has 100 days from a protest filing to render a decision on whether to accept or deny it, but within that span, agencies can opt for dispute resolution or other negotiations options to resolve the protest.

As a result of the contract suspension, new users will not be able to access e-services like Get Transcript. Existing users can still utilize the services.