The company hit by one of the largest-ever data breaches will soon get government money—to combat taxpayer fraud.
The IRS has awarded Equifax a $7.25 million no-bid contract to verify taxpayers’ identities.
[The contract] was posted the last day of the fiscal year, Saturday, on the government’s Federal Business Opportunities database. It was awarded Friday, three weeks after Equifax announced what Ars has described as “very possibly the worst leak of personal info ever.” According to the posting, Equifax will “assist in ongoing identity verification and validations” for the IRS.
News of the contract was published the day after Equifax disclosed that millions more consumers were affected by its data breach than had been reported previously.
… The company announced Monday that the total number of people impacted by its breach is not 143 million—the amount it first disclosed—but in fact 145.5 million. Its ability to casually misplace 2.5 million lives upended by the breach is alarming…
You’d think that government agencies would be reticent to work with Equifax given that it just exposed the private info of more than 145 million people through a preventable hack, but a massive data breach apparently isn’t enough of a deterrent.
Politico reported that the contract is a “sole source order,” meaning the company was deemed the only one capable of filling the IRS’ demand. Equifax is one of three major players, along with Experian and TransUnion, that control credit reporting in the United States.
However, that only underscores the problem here: the IRS had to trust a crucial anti-fraud system to a company that not only had sloppy online security practices, but has been reluctant to take full responsibility for its mistakes.
That reluctance was seen again Tuesday in a congressional hearing with Equifax’s former chief.
Congress is currently grandstanding while the lights are hot on Equifax EFX, +0.76%, but there was still an overarching feeling of helplessness as former CEO Richard Smith testified in a House subcommittee Tuesday. U.S. Rep. Ben Ray Lujan, D-N.M., asked what the company would do to make affected consumers whole after the breach.
“I can’t answer the question,” Smith said.
Equifax has been heavily criticised for its response to the breach and congressman Frank Pallone said Equifax had an “ongoing lax attitude when it comes to protecting consumer data”.
He warned Smith that “if Equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency.”
Congressman Paul Tonko said Americans now faced “a lifetime of risk” because of Equifax’s errors.
Other lawmakers were harsher with their criticism of Equifax.
The Guardian reported:
“It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” Greg Walden, the chairman of the House energy and commerce committee, told Smith. “How does this happen when so much is at stake?” Walden said. “I don’t think we can pass a law that fixes stupid.”
Yahoo announces breach hit all 3 billion users
Equifax isn’t the only company facing backlash following its data breach and subsequent crisis communications missteps.
On Tuesday, Yahoo—which is now owned by Verizon—announced that all 3 billion accounts that existed during its 2013 hack were probably affected by the security breach.
In a statement, the company said:
Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Twitter users lashed out at both companies after the news hit:
A three billion account breach. Well, at least our credit reporting agencies are trustworthy and reliable… https://t.co/Uzes51S0iU
— October Daniels✏️ (@1aprildaniels) October 3, 2017
Equifax: We’re totally the worst about hacking!
Yahoo: Hold our unpatched servers.
— Shira Ovide (@ShiraOvide) October 3, 2017
Other users questioned how many more organizations experienced similar situations:
A reasonable question in the light of Yahoo + Equifax is how many huge companies have had massive data breaches they aren’t disclosing
— Joe Bernstein (@Bernstein) October 3, 2017
Can organizations regain consumers’ trust?
With data breaches becoming increasingly frequent, consumer trust has plummeted—and the organizations involved don’t seem to be moving toward greater transparency.
Smith told lawmakers he takes full responsibility for the hack and is “truly and deeply sorry for what happened.” He said the breach underlines changes required for consumers’ credit data.
The Guardian reported:
Looking ahead, Smith said “this humbling experience has crystalized” the need for an industry standard that places access to credit data in the hands of the consumer. He said the company’s lifetime lock program should become the industry standard. Second, he said the country should begin discussing the replacement of social security numbers as the primary means to verify a consumer’s identity.
“It is time to have identity verification procedures that match the technological age in which we live,” Smith said.
Smith’s hearing also highlighted the lack of consequences organizations such as Equifax or Yahoo face when revealing massive data breaches (especially months or years after they occur).
Still, the hearing revealed significant frustration from members of Congress at the lack of financial consequences for the company. “Under current law, you’re required to alert those whose account has been hacked, but there’s basically no penalty,” Rep. Joe Barton (R-TX) told Smith. “We’re going to have this hearing every year from now on if we don’t do something to change this system.”
Bloomberg reported that lawmakers suggested solutions that included replacing Social Security numbers as the peak of identity verification, passing a federal law that requires organizations to disclose security breaches, increasing fines and regulation, and giving consumers greater control of their personal information.
How would you advise these organizations to repair their images, PR Daily readers?