IRS suspends Equifax contract extension after second security issue

Equifax has had a second security breach and that was enough for the IRS to suspend work with the credit reporting bureau under a recent $7.2 million contract extension.

This time Equifax discovered a issue with a third party vendor it uses to collect website performance data. That company's software ran on Equifax's website and served up malicious code. The third-party software has been removed and Equifax shut down the website as it continued to investigate.

With that news, the IRS suspended Equifax.

I know I gave a rather impassioned defense of the IRS decision to continue using Equifax to confirm the identities of taxpayers access records and other information their website.

But according to published reports, the IRS has suspended the Equifax service and is not accepting new enrollees. If you have already enrolled, you’re fine and can continue to access your account online.

The suspension is being described as temporary as the IRS continues to review Equifax’ security operations.

Both the IRS and Equifax came under heavy fire from Congress last week who lambasted IRS executives about their decision to award the extension to Equifax. The extension was needed because Equifax is the incumbent contract but filed a protest with GAO after it lost the recompete to fellow credit bureau Experian.

As is standard operating procedure, the IRS extended Equifax’s contract until the protest is resolved because the agency was still in need of those services.

With this second possible breach, I think the IRS has made the right decision.

But I still stand by my criticism of Congress and its poor understanding of the procurement process. They really need to do better.