Information Security / Equifax still holds onto plum contract with IRS, five months after hack
Equifax still holds onto plum contract with IRS, five months after hack
12 January 2018 |
They said 2018 would be the year cyber security went from being an industry issue to being a consumer issue. They said as attacks grew more frequent, organisations would knuckle down and ring-fence data they hold better. They said cyber security will be taken more seriously.
They were wrong.
I received a thousand and one predictions in my inbox all alluding to what I said earlier. However, if early indications are anything to go by, 2018 is all set to be redux of what 2017 was security wise. Basically, a car crash.
And by the looks of it, it will be down to the establishment for letting its citizens down. For not paying attention to data risks to the public and for, at times, a simple disregard for cyber security.
KPMG, in its 2018 forecast said that Governments will be working to bring cyber criminals down: “As criminals industrialise cyber-attacks using crime as a service model to rent attack tools and ransomware, governments are increasingly looking for ways to disrupt the infrastructure used by criminals. Closer links with telcos and service providers are being built along with the operational processes needs to block sites hosting malware, detect and counter phishing attacks. Trusted DNS services and Domain-based Message Authentication, Reporting and Conformance (DMARC) will be rolled out at scale across the community by both the National Cyber Security Centre and by organisations such as the Global Cyber Alliance. These community measures linked to improved intelligence sharing will start to make a difference.”
However, something quite the opposite is happening in the case of Equifax and the United States Social Security Administration. Equifax, of one of the biggest data breaches in history and US's Social Service Administration, a government agency that assigns social security numbers, administers the retirement, survivors, and disability insurance programs known as Social Security, and administers the Supplemental Security Income program for the aged, blind, and disabled.
And five months since a data breach that put details of 147 million US residents and 15.2 million British citizens at risk, Equifax is still involved in the identity security system for the MySocialSecurity online portal.
It was in September 2017 that the credit checking company announced details of one of the biggest data breaches ever. However, in October, POLITICO broke news of their being awarded a $7.25 million contract 'to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.'
It was only after significant lobbying by US senators that the IRS suspended the Equifax contract... but this is where it gets murky. The IRS renewed the no-bid contract that Equifax had going just 10 days before that suspension.
IRS wrote to Salon and said: '
During this suspension, the IRS will continue its review of Equifax systems and security. The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract.
The contract suspension is being taken as a precautionary step as the IRS continues its review.
Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts. Although people can’t create new accounts, current Secure Access users aren't affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.
Even though the official line is that: the IRS said is maintaining the relationship “to prevent a lapse in identity checks” for online users, it is interesting to see that a Government body would be quite so blind to not see the public's concern.
For the mySocialSecurity system to still use Equifax's identity security system, especially one that was breached so recently, is comical.
READ MORE: Biometrics - security through personality
Even though the SSA stone-walled Salon on what Equifax was contracted to do, by saying: 'Equifax is not, and has never been, responsible for the authentication of mySocialSecurity users, or building, maintaining or supporting any of Social Security’s platforms,' it was actually Equifax who accepted that they were, in actual fact responsible for providing 'on-demand use of data services and analytical support to verify the identities of individuals seeking access to services from those agencies [and] . . . also income and employment verification services.'
Although lobbying to get Equifax out of their contracts has continued, as they say in all good mystery paperbacks, the plot thickens...
Latest posts by Sunetra Chakravarti (see all)
- Data breaches reach all-time high as new environments create more attack surfaces - 7th February 2018
- Petya, NotPetya, Good Rabbit, Bad Rabbit… the rise of ransomware - 2nd February 2018
- Pharmaceutical industry and GDPR: What to do next - 31st January 2018
- TEISS2018: On the internet, nobody knows you are a fridge - 30th January 2018
- Why does a privilege account breach translate to ‘game over’ for a business? - 26th January 2018