IRS puts Equifax contract on hold during security review

NEW YORK (Reuters) – The U.S. Internal Revenue Service has temporarily suspended a contract worth more than $ 7 million it recently awarded to Equifax Inc following a security issue with the beleaguered credit reporting agency’s website on Thursday.

Equifax, which disclosed last month that cyber criminals breached its systems between mid-May and late July and made off with sensitive data on 145.5 million people, said on Thursday it shut down one of its website pages after discovering that a third-party vendor was running malicious code on the page.

“The IRS notified us that they have issued a stop-work order under our Transaction Support for Identity Management contract,” an Equifax spokesperson said on Friday.

“We remain confident that we are the best party to perform the services required in this contract,” the spokesperson said. “We are engaging IRS officials to review the facts and clarify available options.”

The IRS is the first organization to say publicly that it is suspending a contract with Equifax since the credit reporting agency’s security problems came to light.

Atlanta-based Equifax said its systems were not compromised by the incident on Thursday, which involved bogus pop-up windows on the web page that could trick visitors into installing software that automatically displays advertising material.

Still, the IRS said it decided to temporarily suspended its short-term contract with Equifax for identity-proofing services.

“During this suspension, the IRS will continue its review of Equifax systems and security,” the agency said in a statement. There was no indication that any of the IRS data shared with Equifax under the contract had been compromised, it added.

The move means that the IRS will temporarily be unable to create new accounts for taxpayers using its Secure Access portal, which supports applications including online accounts and transcripts. Users who already had Secure Access accounts will not be affected, the IRS said.

IRS granted the $ 7.25 million contract to Equifax on Sept. 29, weeks after Equifax disclosed the massive data hack that drew scathing criticism from several lawmakers.

“From its initial announcement, the timing and nature of this IRS-Equifax contract raised some serious red flags … we are pleased to see the IRS suspend its contract with Equifax,” Republican Representatives Greg Walden and Robert Latta said in a joint statement on Friday.

“Our focus now remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach,” they said.

Government contracts in areas such as healthcare, law enforcement, social services, and tax and revenue, are major sources of revenue for Equifax.

In 2016, government services made up 5 percent of Equifax’s overall $ 3.1 billion in revenue, accounting for 10 percent of its workforce solutions revenues, 3 percent of its U.S. information solutions revenues, and 7 percent of its international revenues, according to a regulatory financial filing.

Reporting by John McCrank in New York; additional reporting by Dustin Volz in Washington; Editing by Bill Rigby

Tech

Equifax takes down web page after report of new hack

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help website pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of more than 145 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

As of 1:15 p.m. (1715 GMT), the web page in question said: “We’re sorry… The website is currently down for maintenance. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.”

Equifax shares were down 1.2 percent at $ 109.18 in early afternoon trading.

Randy Abrams, the independent analyst who noticed the possible hack, said he was attempting to check some information in his credit report late on Wednesday when one of the bogus pop-up ads appeared on Equifax’s website.

His first reaction was disbelief, he said in an interview with Reuters on Thursday. “You’ve got to be kidding me,” he recalled thinking. Then he successfully replicated the problem at least five times, making a video that he posted to YouTube.

Equifax’s security protocols have been under scrutiny since Sept. 7 when the company disclosed its systems had been breached between mid-May and late July.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice, and it has led to the departure of the company’s chief executive officer, chief information officer and chief security officer.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

Reporting by John McCrank; Editing by Bill Rigby

Tech

Former Equifax chief apologizes to Congress over hack

WASHINGTON (Reuters) – The former head of Equifax Inc (EFX.N) apologized repeatedly on Tuesday at a congressional hearing for the theft of millions of people’s personal data in a hacking breach, saying it took weeks for the credit bureau to understand the extent of the intrusion.

Richard Smith retired last week but the 57-year-old executive led the company over the time of the hack, which Equifax acknowledged in early September.

Late on Monday, Equifax said an independent review had increased the estimate of potentially affected U.S. consumers by 2.5 million to 145.5 million.

In March, the U.S. Department of Homeland Security alerted Equifax to an online gap in security but the company did nothing, said Smith.

“The vulnerability remained in an Equifax web application much longer than it should have,” Smith said. “I am here today to apologize to the American people myself.”

Equifax keeps a trove of consumer data for banks and other creditors who want to know whether a customer is likely to default.

Former Republican Senator Saxby Chambliss checks his watch as he and City of Pasadena Councilmember Steve Madison stand with Richard Smith, former chairman and CEO of Equifax Inc., prior to Smith’s testimony before House Energy and Commerce hearing on “Oversight of the Equifax Data Breach: Answers for Consumers” on Capitol Hill in Washington, U.S., October 3, 2017. REUTERS/Kevin Lamarque

Smith said both technology and human error opened the company’s system to the cyber hack, which has been a calamity for Equifax, costing it about a quarter of its stock market value and leading several top executives to depart.

A company employee failed to tell the information team a software vulnerability that hackers could exploit should be fixed, Smith said. Then, a later system scan did not uncover the weak point.

Slideshow (3 Images)

Smith said he was notified on July 31 that “suspicious activity had occurred,” after security personnel had already disabled the web application and shut down the hacking. He said he only learned in the middle of August the scope of the stolen data.

On Aug. 2, the company alerted the Federal Bureau of Investigation and retained a law firm and consulting firm to provide advice. Smith notified the board’s lead director on Aug. 22.

That timing could help lift suspicions that three executives who sold stock on the first two days of August illegally used insider knowledge of the hack. Smith said the three “honorable men” did not know about the breach at that time.

Smith deferred to the FBI on questions of whether the hack had been sponsored by a nation-state.

“It’s possible,” he said when asked if the hackers were from another country.

Writing by Lisa Lambert and Patrick Rucker; Editing by Clive McKeef and Bill Rigby

Our Standards:The Thomson Reuters Trust Principles.

Tech

Can Blockchain Prevent the Next Equifax? Not So Fast

Blockchain is a marvelous technology. It relies on sophisticated cryptography to create a tamper-proof ledger across multiple computers, eliminating fraud and mistakes. It’s no surprise, then, that pundits are popping up who say using blockchain can avert the next Equifax breach.

Too bad it’s not that easy. While blockchain is poised to transform a lot of things—from shipping to the diamond industry—it can’t fix sloppy data practices at the credit bureaus.

According to David Treat, who leads the blockchain practice at Accenture, the architecture of blockchains is not designed for massive data sets. He explained that, in the case of Equifax, the company’s business practice is about using algorithms to query a massive repository of customer records in order to spit out a credit score.

Related

Apple Holds Product Launch Event At New Campus In Cupertino

While consumers and companies could use a blockchain to access the score, it’s still up to the credit bureaus to protect the underlying pool of personal information. Doing that, says Treat, requires segregating sensitive data and properly encrypting it.

“Their focus should be on the latest encryption and security techniques for hardening and protecting data sources,” he said, adding the same advice applies for large retailers and other institutions sitting on stacks of personal information.

But while blockchain can’t be a substitute for good data hygiene, the technology will have a role in helping individuals exert control over their identity. For example, Accenture and Microsoft are building blockchain tools that will help migrants and refugees access school and medical records. Meanwhile, Treat predicts that blockchains will be useful for age verification—meaning a young person could use a blockchain app instead of a state drivers license to enter a bar.

The bottom line is blockchain may be marvelous but it’s not a magic bullet. Thanks as always for reading—more crypto and cyber news below.

Jeff John Roberts

@jeffjohnroberts

jeff.roberts@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Some side hustle. Several websites tied to CBS’s Showtime deployed ad code that forced visitors’ computers to mine crypto-currency on the sly. We’re pretty sure CBS didn’t green-light this particular pilot (a rogue hacker is the most likely culprit) but it’s worth noting Pirate Bay deliberately did the same thing recently. What company will try this next?

Hackers feast on restaurants. Cyber-crooks did a drive-by on drive-thru chain Sonic, and are poised to pig out on millions of stolen credit and debit cards. Meanwhile, hackers also struck Whole Foods—no word if they’ll be charging three times the usual price when they sell the stolen data on the dark web.

You say social media, I say surveillance. It’s long been clear social media isn’t just a way to keep tab on our friends—it’s also a way for advertisers and law enforcement to keep tabs on us. But you can turn up your paranoia dial little further: Homeland Security will begin collecting social media data on all immigrants and naturalized U.S. citizens (!), while the Justice Department is seeking an order for Facebook to disclose who “liked” an anti-Trump page.

Thanks for a job not well done. Equifax explained that CEO Richard Smith “retired” after his company’s giant data debacle. The retirement should be a very pleasant one: a Fortune review of security filings indicate Smith will collect over $ 90 million in the next few years. Meanwhile, the company is trying to make amends with an apology and credit freeze offers that don’t really cut it.

Losing trust in Telegram. Many in crypo-land have long suspected the secure messaging app, Telegram, is compromised by weak encryption and ties to government. Their opinion won’t improve in light of claims by a former Telegram executive that the company has a Moscow office where staff work cheek-by-jowl with Kremlin sympathizers.

Share today’s Data Sheet with a friend:

http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

A young man died suddenly in Colorado this year, leaving his family the burden of sorting out his estate. Little did they know their loved one had been investing in Bitcoin, the digital currency that cost as little as $ 13 in 2013 and recently climbed as high as $ 5,000.

The grieving family stood to inherit a small fortune—that is, if they could only find and access the cryptocurrency.

—An excerpt from The Ledger, Fortune’s new fin-tech franchise, that looks at the challenges of tracing crypto-currency when someone passes on. If the owners don’t tell anyone about their assets (which may be worth millions), they may be lost forever.

ONE MORE THING

A Stanford psychologist on the “art of avoiding a**holes.” For real. Vox has a fun (and useful) Q&A with the author of The No A**hole Rule, a 2010 guide to keeping jerks out of your company. His new work expands his advice to everyday life, including how to take the wind out of an a**shole’s sails.

Tech