Of course the IRS needs to confirm that a given taxpayer is who they say they are. It’s step number one for all transactions. To that end, on the IRS website an individual answers questions about their personal and credit history like “On which of the following streets have you lived?” or “What is your current mortgage payment?” You may have encountered this method; the system is called Knowledge-based Authentication or KBA.
With the most recent Equinox hack at the top of the news, you may not recall that the Equifax KBA system used by the IRS was hacked back in 2015, resulting in a data breach of 700,000 records. That hack was accomplished via the Get Transcript function on the IRS website. The subsequent fix for victims of that breach was giving them an Identity Protection PIN. And then … the Get IP PIN login was hacked. Now the IRS has added a one-time code sent to a cellphone to protect the Get Transcript function. But really, it seems like the IRS and the contractors it chooses to work with are several steps behind. The story does not inspire confidence.
This makes the $7.25 million contract granted Equinox by the IRS for taxpayer identification services all the more mind blowing. It’s bad enough that Equinox was hacked, but that their KBA has already proved vulnerable should have been reason enough for the IRS to go elsewhere. That the contract is sole source, in other words no-bid, also sends up many red flags. Are there really no other companies able to do this work?
In the hands of adept, motivated and creative criminals working on their own (or state-sponsored), think of the havoc that could be wrought down on half the population of the U.S. From that point of view, the idea brought up by Rep. John Ratcliffe (TX-R) seems on point. He called for a DHS investigation of Equifax representing a cybersecurity risk to the federal government.
Former Equifax CEO Richard Smith recently testified at length in front of the House Committee on Energy and Commerce. It was a long and grueling testimony but it seems it came down to this: Smith explained that the breach happened as a result of one employee (out of almost 10K Equifax employees) failing to apply a software patch. This explanation is also cause for alarm. Surely it’s not too much to expect rigorous security protocols and quality control measures to be in place where taxpayer data is concerned. And wouldn’t it be nice if it were either Equifax or the U.S. government who red teamed the system, not hackers from who knows where.
The situation had some Committee members suggesting that the federal government needs to regulate credit monitoring companies like Equifax.
But Rep Greg Walden (R-OR) noted it would be hard to prevent cyberattacks from errors like the one Equifax suffered. He explained “I don’t think we can pass a law that fixes stupid.”