Five months after Equifax hack, Social Security still relies on discredited firm

Social Security keeps stonewalling about what it paid Equifax to do and why it won't cut hacked firm loose

Published January 8, 2018 4:58AM (EST)

 (AP/Mike Stewart)
(AP/Mike Stewart)

Nearly five months after an unprecedented security breach at the credit rating firm Equifax exposed Social Security numbers and other data, making some 147 million Americans vulnerable to potential identity theft and fraud attacks, the Social Security Administration continues to use an identity security system devised by Equifax for the MySocialSecurity online portal.

Equifax was awarded a no-bid $10 million contract back in early 2016, as the company boasted at the time, “to help the SSA manage risk and mitigate fraud for the mySocialSecurity system, a personalized portal for customers to access some of SSA’s services such as the online statement.”  

After learning from a Sept. 15 Salon investigation about the SSA’s continued use of Equifax’s identity-verification system, Sen. Sherrod Brown, D-Ohio, and Sen. Orrin Hatch, R-Utah, wrote to Social Security asking them to terminate the contract. They also have urged the federal government to end all contracts with Equifax, at least until it is determined how the giant credit firm managed to be vulnerable to such a colossal hack and why it waited several months to notify affected Americans whose credit data it collects and maintains.

The SSA’s continued use of its Equifax contractor’s compromised work contrasts with the decision made by the Internal Revenue Service. On Oct. 13, apparently at the urging of Brown and Hatch, the IRS “temporarily suspended” its $7.2-million security verification contract with Equifax for taxpayers using the agency’s online access.

In a letter of explanation provided to Salon, the IRS wrote:

During this suspension, the IRS will continue its review of Equifax systems and security. The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract.

The contract suspension is being taken as a precautionary step as the IRS continues its review. 

Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts. Although people can’t create new accounts, current Secure Access users aren't affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.

That might sound like a sound decision by the tax authority, but it also raises the question of why the IRS decided, just 10 days before that suspension, to renew its no-bid Equifax contract. After all, the story about the huge Equifax data breach was front-page news across the country in September, only a few weeks before that renewal. At the time of the renewal, Equifax was already under investigation by the Justice Department, the FBI and the Federal Trade Commission, according to CNN.

Politico, which initially broke the story of the IRS Equifax contract renewal, reported at the time that the IRS said it was maintaining the relationship “to prevent a lapse in identity checks” for online users.

Efforts to obtain answers from the IRS to other questions about the Equifax contract, such as what exactly the credit company was doing for the agency in return for its $7.25 million, were unsuccessful.

The SSA has been even less forthcoming. Press officer Mark Hinkle would only tell Salon that “Equifax is not, and has never been, responsible for the authentication of mySocialSecurity users, or building, maintaining or supporting any of Social Security’s platforms.”  

That response suggests that, in fact, all the financially strapped SSA actually got from Equifax for its $10 million was a bunch of security questions to ask those trying to prove their identity before accessing the online customer portal. (The SSA has been cutting back staff both in its central office and in branch offices, decisions that predate the Trump administration, pushing more and more of its transactions and information requests online.) 

Based on the questions actually found on the site, it would appear that Equifax offered a duplicate version of the questions it uses for its own flawed and hacked customer access security system for use by the SSA’s MySocialSecurity Portal, and no doubt the IRS’ online portal too.

As a result, elderly people seeking to make changes in their Social Security account -- for example, to shift deposits to a different bank when they move from their home into a nursing facility -- face wholly inappropriate questions, such as requests for a driver’s license, a credit-card number or a mortgage payment receipt. Many elderly beneficiaries might well have none of those documents. (I ran into exactly that problem when trying to help my 90-year-old father-in-law access his account so he could execute such a transfer. He simply could not do it since he doesn’t drive, doesn’t use credit cards and does not own a home. Our only apparent option was to transport him -- in a wheelchair, with an oxygen bottle in tow -- to the nearest Social Security office.)

Both the IRS and the SSA suggested that Salon would have to file a Freedom of Information request in order to learn what their contracts with Equifax were actually paying for. Perhaps surprisingly, Equifax was more forthcoming. An Equifax spokesperson told Salon that the company's work for both agencies involved providing them with “on-demand use of data services and analytical support to verify the identities of individuals seeking access to services from those agencies [and] . . . also income and employment verification services,” in the case of the SSA, “to aid in determining an applicant’s program eligibility.” The spokesperson added that the SSA “does not access the Equifax mainframe, nor does Equifax touch SSA systems,” explaining that “Equifax provides “back-end authentication services as part of the SSA registration/account opening process.”  

Sen. Brown’s office, unsatisfied with SSA inaction on this issue, is still calling for the agency to sever its relationship with Equifax. Brown is also asking that Equifax be barred from all contracts with the federal government until further notice.

By Dave Lindorff

Dave Lindorff, a 2019 winner of an Izzy Award for Outstanding Independent Media, is a founder of This Can't Be Happening!, the collectively-owned, six-time Project Censored Award-winning alternative online news site.

MORE FROM Dave Lindorff