Equifax's IRS contract suspended 'as a precautionary step' after its website compromised again
Malicious adware was found disguised in the Equifax website as a Flash player update prompt.
The Internal Revenue Service (IRS) has temporarily suspended its contract with embattled credit reporting company Equifax. The contract would have had Equifax verifying identities when people create new accounts in the IRS site and help tackle tax fraud.
It was reported earlier this month that Equifax was awarded this contract on September 30 as a "sole source order" – only Equifax was capable of providing this particular service to the IRS. The firm bagged the contract despite its failure to prevent a recent cybersecurity breach that affected over 140 million people.
Now, Politico notes that the IRS has decided to temporarily back down from this contract after reports emerged that Equifax might have been compromised again. According to reports, Equifax's website served up malicious adware disguised as a fake Adobe Flash Player update.
The report goes on to say that this short-term suspension will mean new accounts cannot be opened through the Secure Access program. This service is designed to give users access to their records and transcripts online. Taxpayers who already have active accounts with the IRS for this service will be able to continue using it.
The IRS released a statement after temporarily suspending the contract, saying, "The IRS emphasised that there is still no indication of any compromise of the limited IRS data shared under the contract. The contract suspension is being taken as a precautionary step as the IRS continues its review," agency spokesman Matthew Leas said in a statement to Politico.
As to why the contract was awarded in the first place, despite the lax security measures and systems that were used by the credit reporting agency, the report says that IRS claimed its hands were tied and that it could not back away from the contract.
"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the agency had said at the time. "We have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."
The decision to continue using Equifax's services by the IRS was criticized as well.
Equifax admitted last month that it was attacked by hackers, and private information of over 140 million people was stolen. It was touted to be one of the largest-ever cyber security heists of all time.
Equifax then scrambled to put together a way for people to check if their data had been leaked, but only confirmed responses to those who had not been affected. It was also revealed that the company was inadvertently sending breach victims to fake phishing sites for weeks.
The firm was subsequently hit with a multi-billion dollar class action lawsuit, and received another blow when it was revealed that it used passwords as simple as "admin" to secure their online portals.
In a congressional hearing, Equifax's ex-CEO Richard Smith then went on to say that the fiasco snowballed due to one person's error.
Just last week, news about Equifax's UK customers came to light with reports that over 15 million UK records were stolen.