6 October 2017

A characteristic common to publicly funded agencies is ensuring their appropriation is spent – use it or lose it. This may be seen as a splurge in the final days of the financial year.  Last week – the end of the United States Government fiscal year – saw an extraordinary example of this. The IRS has been troubled by tax-identity fraud and data breaches.  Congress earmarked more than $100 million for cybersecurity upgrades and identity theft prevention measures. But remedial progress has been slow.  Nothing  exceptional there.

What is surprising is that on 30 September the Federal Business Opportunities database (more flexible than the GETS “awarded contracts” facility on the NZ Government Procurement website)  indicated that a “sole source order”  for $7.25 million had been awarded by the IRS to a credit service provider to “verify taxpayer identity” and “assist in ongoing identity verification and validations”. Apparently only one company was deemed capable of providing the service, needed promptly to prevent a lapse in identity checks. while officials resolved other contractual issues. There was no contest.

As the financial year expired, a contract was awarded to one of the three main US credit checking agencies – the chief executive of which had devised a corporate strategy of gathering as much personal data as possible and finding new ways to sell it.

However the company has admirable corporate documents.   Its ten core values begin with “ Commitment to Integrity” and “Understanding that our employees are trusted stewards of our data, we strive to demonstrate unyielding integrity that is transparent in our actions…” and so on.

The company understands the market place;  “Data breaches are on the rise. Be prepared.”  “You’ll feel safer with (us)…”

It was “…strengthening its legacy of excellence, integrity and reliability.”   Apparently for the IRS it would a good partner  “to safeguard the integrity of our tax administration system.”

But the company is Equifax.  A company which only weeks previously experienced a major data breach exposing social security numbers, personal information and credit worthiness details of about 143 million people in the United States, and undisclosed numbers in Canada and the United Kingdom.

Equifax is also one of three credit reporting companies in New Zealand.  Its website states that Equifax holds data on more than 3.4 million credit-active individuals and approximately 600,000 companies and businesses throughout New Zealand, providing customers with the ability to make more informed decisions.  There has been no publicity about any New Zealanders’ records being exposed, possibly as the Australian and New Zealand operations of Equifax, bought from Veda in 2016, may not have been integrated into the company’s North American systems. Nonetheless these “credit-active individuals” are unlikely to consider themselves to be “customers” of Equifax.

Equifax discovered on 29 July that its US data had been accessible to hackers since May.  The Congressional Energy and Commerce Committee chairman said it was as if “the guards at Fort Knox forgot to lock the doors”. It was more than a month later before the hack was publicly announced.  The chief executive stood down.

But matters get worse. The US Justice Department has begun a criminal investigation into circumstances behind the sale of $1.8 million worth of company shares by three executives several days after the data breach was found – and weeks before it became public knowledge.

.The Senate Finance Committee Chairman said  that “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed”.