IRS puts Equifax contract on hold during security review

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $ 7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $ 7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $ 3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby

Tech

Related Posts:

Equifax takes down web page after report of new hack

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help website pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of more than 145 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

As of 1:15 p.m. (1715 GMT), the web page in question said: “We’re sorry… The website is currently down for maintenance. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.”

Equifax shares were down 1.2 percent at $ 109.18 in early afternoon trading.

Randy Abrams, the independent analyst who noticed the possible hack, said he was attempting to check some information in his credit report late on Wednesday when one of the bogus pop-up ads appeared on Equifax’s website.

His first reaction was disbelief, he said in an interview with Reuters on Thursday. “You’ve got to be kidding me,” he recalled thinking. Then he successfully replicated the problem at least five times, making a video that he posted to YouTube.

Equifax’s security protocols have been under scrutiny since Sept. 7 when the company disclosed its systems had been breached between mid-May and late July.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice, and it has led to the departure of the company’s chief executive officer, chief information officer and chief security officer.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

Reporting by John McCrank; Editing by Bill Rigby

Tech

Related Posts:

Equifax says 15.2 million UK records accessed in cyber breach

(Reuters) – U.S.-based credit reporting agency Equifax Inc said on Tuesday that the massive cyber attack it disclosed in September compromised the sensitive personal details of nearly 700,000 consumers in the United Kingdom.

Equifax said that 15.2 million UK records dating from 2011 to 2016 were exposed in the incident, which affected 145.5 million people overall, but that 14.5 million of the exposed UK records did not contain information that put consumers at risk.

Reporting by John McCrank in New York; Editing by Richard Chang

Our Standards:The Thomson Reuters Trust Principles.

Tech

Related Posts: