IRS hires Equifax despite massive data breach

If millions of consumers are fretting that the Equifax data breach has potentially put everything from their Social Security numbers to credit card data into criminal hands, one party seems noticeably less concerned: the U.S. government.

The IRS last week hired the credit reporting company to provide fraud prevention and taxpayer identification services, Politico reports, citing a government database that lists federal contracts. 

The tax agency retained Equifax to ensure it can continue to verify filers' identity while the IRS resolves a disagreement over another contract, according to the news outlet. 

The contract award comes as Equifax (EFX) is under fire in Washington for a security lapse that exposed sensitive financial information belonging to 145.5 million Americans, and more than three weeks after the company first disclosed the hack

A spokeswoman for Equifax did not immediately respond to a request for comment. 

Former Equifax CEO Richard E. Smith, who stepped down following news of the breach, appeared before a House panel on Tuesday and apologized for the intrusion, which the company failed to detect for months. 

"As CEO I was ultimately responsible for what happened on my watch," he told lawmakers. "To each and every person affected by this breach, I am deeply, deeply sorry that this occurred." Under questioning, Smith admitted that the hacked customer data wasn't encrypted, a practice that's not illegal though not exactly safe, either.

Smith is scheduled to appear on Wednesday before the Senate Banking Committee, followed by the House Financial Services Committee on Thursday.

Equifax is under investigation by the Department of Justice, Federal Trade Commission, Securities and Exchange Commission and Consumer Federal Protection Bureau, as well as by more than 40 state attorneys general. 

As Smith sought to explain the cyberattack on Capitol Hill, security experts said companies like Equifax that collect large volumes of consumer data must do more to secure the info.

"At the end of the day, companies have to be more vigilant about patching their software," said Dimitri Sirota, CEO of security software maker BigID. "There's basic housekeeping: Don't put all your data in one place. You don't put all your diamond rings at the house at the front door. For companies that collect a lot of data, you have to be careful about how you maintain that data."  

-- Irina Ivanova contriuted to this report

  • Alain Sherter On Twitter»

    Alain Sherter covers business and economic affairs for CBSNews.com.