Just yesterday, we told you about a malicious prompt that was appearing on Equifax’s website when customers tried to dispute errors on their credit reports. The pop-up prompted users to download a new version of Flash player, only to install tough-to-identify adware instead. It looks like Equifax may be paying the price for that particular oversight, as the IRS has temporarily suspected a fraud prevention contract it awarded the company earlier this month.
The IRS was the subject of a lot of derision once that no-bid contract was given to Equifax. By the time the IRS had made the decision to go with Equifax for fraud prevention, the scope and severity of the Equifax breach was already obvious, leaving many to wonder what the IRS was thinking. That contract was worth $7.2 million, and left the task of verifying the identities of people signing up for the IRS’s Secure Access program to Equifax.
As of last night, however, that contract has been temporarily suspended, Politico reports. Though the IRS didn’t give a direct reason for the suspension, it’s worth noting that the decision came after those reports of bogus download prompts on the Equifax website. The IRS says that the suspension is a “precautionary” measure as it continues to investigate the security of Equifax’s systems. As a result of this suspension, new sign-ups for Secure Access are temporarily closed, but current subscribers should see no change.
For what it may be worth, Equifax told Engadget that the malicious download prompts weren’t the result of another breach, but rather code from a third-party company Equifax used for site analytics. Equifax said that the code has since been removed and the affected pages taken offline, but it’s likely that the damage is done. It’s another awful mess up from a company that has handled the response to its massive security breach very poorly.
From here, there’s no telling what the IRS does. It could very well determine that Equifax’s security is up to snuff, or it could (and should) look at the pile of evidence for incompetence on the part of Equifax and pull the contract. We’ll keep you updated on the matter, so stay tuned.