The IRS got a lot of flak from both ordinary citizens and lawmakers when it awarded Equifax a fraud prevention contract earlier this month. After all, they forged their partnership after the credit reporting agency revealed that it recently suffered a massive security breach that affected 145 million Americans. Now, after reports came out that an adware installer lived in the agency's website, IRS has decided to temporarily suspend the $7.2 million, no-bid contract.
IRS commissioned Equifax to verify the identities of taxpayers signing up for a Secure Access account, which gives people access to online tax records and transcripts, on its website. Sign ups for Secure Access accounts have been suspended as a result, but anybody who already has one will not be affected.
The government agency didn't elaborate why it suspended the contract, but it could have something to do with the faux Adobe Flash installer a security analyst found on Equifax's website. After investigating the incident, Equifax admitted to Engadget that a downloader serving up malware lived in its website but stressed that it wasn't hacked yet again.
"Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal," a spokesperson told us in a statement. "The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."
As for the IRS, spokesman Matthew Leas said Secure Access account holders have nothing to worry about. Yes, it froze the contract, but "there is still no indication of any compromise of the limited IRS data shared" with Equifax." He explained that "the contract suspension is being taken as a precautionary step as the IRS continues its review."