Senators grill Equifax officials over data breach, new IRS contract

Senators demanded answers from Equifax on Wednesday after learning the IRS signed a contract for taxpayer verification with the credit reporting company following its disclosure of a massive data breach that affected 145 million Americans’ information.

“You realize to many Americans right now, that looks like giving Lindsay Lohan the keys to the minibar?” said Sen. John Kennedy, Louisiana Republican.

He was confronting former Equifax CEO Richard Smith, who was making the rounds before Congress this week to explain the breach.

“I understand your point,” Mr. Smith said.

Numerous lawmakers have indicated they will probe the $7 million contract further.

“I won’t ask for a show of hands in the room, but I don’t know who would want to say we should buy fraud protection from the people who were just hacked and dumped 145 million American records,” said Sen. Ben Sasse, Nebraska Republican. “As an American, why should anybody hire Equifax for fraud protection right now after the exposure?”

Members of the Senate Finance Committee wrote to IRS Commissioner John Koskinen asking him to provide additional details.

One IRS official called it a temporary contract awarded to ensure certain services continued while a contract dispute was reviewed.

Jeffrey Tribiano, the IRS deputy commissioner for operations support, told the House Ways and Means Committee that the IRS had awarded the contract to a different company, but Equifax protested the award. The contract was due to expire on Sept. 29, so a bridge contract was awarded to Equifax to keep services running in the meantime.

Hackers stole personal information from Equifax, including Social Security numbers, birth dates, and addresses from the credit reporting company during a July cyber intrusion.

Though the company alerted the FBI and brought in forensic investigators to investigate the breach on Aug. 2, the company did not announce the breach to the public until Sept. 7.

Mr. Smith apologized for the horrific breach but said the company has worked with the government and other companies successfully for years before this incident.

“We will make it right as best we can, but it doesn’t wipe out 118 years of good work we’ve done,” he said.

At Mr. Smith’s second appearance of the day before the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law, Sen. Patrick Leahy criticized Equifax for previously lobbying against legislation that would have required companies to more quickly disclose such security issues.

“You spent a lot of money lobbying against the consumer protection act that might require you to notify consumers immediately of such breaches,” the Vermont Democrat said. “Are you still going to fight and spent hundreds of thousands of dollars to stop that kind of a consumer protection bill from going through?”

Mr. Smith said he wasn’t aware of the prior lobbying effort Mr. Leahy raised, but said the company’s budget for such action is less than $1 million.

Sen. Marco Rubio, Florida Republican, wrote to Securities and Exchange Commission Chairman Jay Clayton to urge the agency “to require companies to promptly disclose significant hacks of material impact that make Americans vulnerable to identity theft.”

Complicating matters, three top executives sold nearly $2 million in company stock shares on Aug. 1 and 2 before Equifax announced the breach and stock values plunged, a move that generated additional outrage and accusations of insider trading.

Mr. Smith testified Wednesday that the three men were unaware of the security breaches and that the company’s general counsel had approved the stock sales.

Sen. Heidi Heitkamp told Mr. Smith that the company might want to consider several gestures to help diffuse anger over the incident, including walking away from the IRS contract and returning the money the three executives made from the stock sales.

“My advice to you is do some things that are very, very visible and those are two things that you could do that would give us some certainty that this is being taken as seriously as it needs to be taken,” the North Dakota Democrat said.