Walorski to IRS: $7 Million Equifax Contract After Massive Data Breach a “Management Failure”
Questions Why Identity Verification Contract Awarded Without Knowledge of Top IRS Data Officials
WASHINGTON – U.S. Rep. Jackie Walorski (R-Ind.) today questioned Internal Revenue Service (IRS) officials about why the agency awarded Equifax a $7.25 million no-bid contract to protect taxpayers’ identifying information after hackers stole more than 145 million Americans’ data from the credit reporting company.
“So more than 20 days had passed since we learned of the greatest data breach in history, and you just signed a contract to pay Equifax to have access to IRS data for identity verification purposes,” Congresswoman Walorski said. “I’m floored to sit here this morning. This is an abject failure. … This is beyond abject failure, this is a management failure. If nothing, it shows that the IRS structurally needs some reform and needs major change.”
Under questioning from Walorski at the hearing of the House Ways and Means Oversight Subcommittee, IRS Chief Information Officer Gina Garza and Deputy Commissioner for Operations Support Jeffrey Tribiano said they did not approve or sign the contract. In fact, Garza said she only learned this morning that the contract had been signed on September 29. Tribiano said Chief Procurement Officer Shanna Webbers would have signed the contract.
Equifax announced on September 7 that millions of Americans’ identifying information had been stolen in a data breach the company first became aware of months earlier. The total number of consumers believed to be affected has risen to at least 145.5 million.
Politico reported on Tuesday that the IRS last week awarded a “sole source” contract to Equifax to help verify taxpayers’ identities and prevent fraud.
Video of Walorski questioning Garza and Tribiano at the hearing is available here. The text of their exchanges is below.
REP. WALORSKI: Thank you, Mr. Chairman, and thank you to the panel for being here. Ms. Garza, on September 7th, nearly a month ago, we learned of the single largest data breach with more than 140 million individuals being impacted. When did the IRS learn of the breach?
MS. GARZA: So, we learned it as part of the news that evening. The very next day, we got together and started to talk about what that impact to the IRS might be.
REP. WALORSKI: On September 8th, the next day, you were in contact with Equifax about the scope of the breach, whether it impacted the IRS data, as you just said, In fact, the IRS sent a team of IT experts, criminal investigators, and the Treasury Inspector General for Tax Administration to Atlanta, to Equifax, to verify everything that Equifax had told the IRS, correct?
MS. GARZA: That’s correct.
REP. WALORSKI: Did you have any reason to doubt Equifax or what they had told you during that process?
MS. GARZA: I had no reason to doubt them, but it is our protocol to go and do a physical inspection to validate what we are being told.
REP. WALORSKI: Did you learn anything that caused concern?
MS. GARZA: So, in this case there were a couple of things. One, we were able to verify by looking at the forensics of what the bad actor did and was able to access that none of the IRS data had been compromised.
However, we did find that we had gotten inconsistent information when we had first talked to Equifax. We did find that in their network logs, along with other companies’ information, some of our information that we had sent over was maintained.
But as I said, there was no evidence that the bad actors were able to get to the network logs. Their primary area to look at were the databases.
REP. WALORSKI: I read last night in the press that the IRS had just signed a $7 million contract to have Equifax provide identity proofing. That contract was decided on September 29th, correct?
MS. GARZA: That’s what I had learned this morning.
REP. WALORSKI: So more than 20 days had passed since we learned of the greatest data breach in history, and you just signed a contract to pay Equifax to have access to IRS data for identity verification purposes. Did you approve and sign that contract?
MS. GARZA: I did not.
REP. WALORSKI: Mr. Tribiano, did you approve and sign that contract?
MR. TRIBIANO: No ma’am, I did not.
REP. WALORSKI: Who signed the contract?
MR. TRIBIANO: Our procurement officer would’ve signed that contract.
REP. WALORSKI: And who is that?
MR. TRIBIANO: Ms. Shanna Webbers.
REP. WALORSKI: How many employees did the IRS have the authority to sign a $7 million contract binding the IRS on IT issues?
MR. TRIBIANO: I’d have to get back to you on that, ma’am. I don’t have that number.
REP. WALORSKI: Can you do that?
MR. TRIBIANO: Yes ma’am.
REP. WALORSKI: You know, I just, I’m floored to sit here this morning. This is an abject failure. And I haven’t been on this committee very long, but I think this is my third or fourth hearing already on this issue of IT and who’s responsible. And we sit here this morning, and we talk about all of these issues we’ve talked about before with no changes happening.
The American people are sitting there this morning saying, ‘This is beyond abject failure, this is a management failure.’ If nothing, it shows that the IRS structurally needs some reform and needs major change. This is why the American people hold us accountable, and we try to hold you accountable, and then we have contracts being signed right in the middle of these investigations of the biggest data breach in the history of this country, exposing a massive amount of Americans now to identity theft.
Frankly, the IRS should not be in a position to have major IT acquisitions happening without you, Ms. Garza, or you, Mr. Tribiano, even knowing that they are happening. I don’t think there’s anything that anybody could say at this point other than pointing the fingers now to a third person that signed the contract. Mr. Tribiano, did you want to say anything?
MR. TRIBIANO: Yes ma’am, if I can. I just want to clarify a couple things, if I can, and walk through this. And this is not an excuse, this is just what happens. We had a contract with Equifax, we had two different contracts. We had one that was managed out of our privacy team, and that was for credit monitoring. That contract was competed and awarded to different vendors. That happened and went into effect October 1. We had the other contract, which was our e-authentication and service contract. That was competed –
REP. WALORSKI: Excuse me. Could I just – I know we’re gonna run out of time here, I see the yellow light – and I know you’re going to get back to me the number of people that can sign these contracts, but obviously Ms. Garza can and you can, and the woman that you just explained can. Who else can? That’s three right there, but who else has the authority to sign something like a $7 million contract?
MR. TRIBIANO: I’ll get back to you on that, ma’am, about the numbers, but I want –
REP. WALORSKI: But you have to know the other people in the office that can sign.
MR. TRIBIANO: Well, there are certain procurement officers that have warrants to be able to do that. I just don’t have the—
REP. WALORSKI: So are we talking 10 people, are we talking 15 people, are we talking five people?
MR. TRIBIANO: The range of what procurement officers warrants are for are varied. Some procurement officers have warrants up to a certain dollar amount. I’d have to be able to get you that breakdown and show you who in what category can.
REP. WALORSKI: I appreciate it, and I know I’m out of time. Thank you, Mr. Chairman, I yield back.
Walorski represents the 2nd Congressional District of Indiana, serving as a member of the House Ways and Means Committee.