Taxing Definitions

Definition – A whale of a breach

Thanks for sharing!
4 minute read


Image source: Sho Hatakeyama on Unsplash

Once more into the breach… The security breach of an Equifax online dispute portal from May to July 2017 was a whopper. According to a report published by the US Government Accountability Office in August 2018, records containing personally identifiable information of at least 145.5 million people in the US and nearly 1 million outside of the US were compromised.

What does that have to do with tax? The internal revenue service used Equifax as the contractor for taxpayer identity and verification services and was one of Equifax’s largest federal customers (along with the post office and the social security administration). One reason the IRS verifies taxpayer identity is to make sure that individuals who want to access prior year tax returns are the legitimate filers of those returns.

Due to concerns about the potential for fraud using the stolen data, the IRS got a list of the individuals affected by the breach from Equifax. The IRS used the list to identify which taxpayers were affected and to look for potential instances of identity fraud affecting those taxpayers. The IRS made public announcements about the impact of the breach, noting that the agency did not expect the breach to have any impact on taxpayers’ ability to securely file tax returns.

As a result of the breach, the IRS changed the Equifax contract for credit reporting services to require prompt notification of any future breach.




Do you think Equifax is still the contractor for IRS taxpayer identity and verification services?




One result of the Equifax breach was the Economic Growth, Regulatory Relief, and Consumer Protection Act, a law that was signed into effect in May 2018.



Note: Taxing Lessons provides a summarized version of sometimes lengthy court decisions and official documents. The full documents may include facts and issues not presented here. Please use the link provided in the post to read the entire document.

This information should not be considered legal, investment, or tax advice. Taxing Lessons and Top Drawer Ink Corp. do not provide legal, investment, or tax advice. Always consult your legal, investment, and/or tax advisor regarding your personal situation.


Other posts you might enjoy

Definitions — More and less, yes or no   Image source:   In general, you're required to file a federal income tax return when your gross income is equal to or exceeds the sum of your exemption plus standard deduction (internal revenue code section 6012(a)(1)). For 2018 returns, to be filed in 2019, the...
Definition — Convenient meals   Image source: Public domain image from   Are you eating lunch at your desk? Perhaps your employer provides meals for a business reason, such as when the meals are necessary for you to do your job properly. These "convenience of employer" meals are not taxable to ...
Definition — Collecting the debt   Image source: Kody Gautier on Unsplash   Have you heard about the guy who walked into an accounts receivable department to pay a compliment? The old joke may be a possibility for the private debt collection agencies hired by the government to collect delinquent tax debts. A cus...
Definition — Losing the deduction   Image source: Dawid Zawiła on Unsplash   One casualty of the December 2017 federal tax law was the personal casualty and theft loss deduction (section 165 of the internal revenue code). With a few exceptions, as of January 1, 2018, nonbusiness losses from sudden, unexpected, or...

Equifax did not directly notify major federal customers of the 2017 breach prior to its public announcement because its contracts with those agencies required notification only of breaches directly involving the systems that provided services to the federal government.

IRS officials stated that the contract with Equifax for credit reporting services was changed to require Equifax to promptly notify the IRS of any data breach, regardless of which of the company’s systems it may affect.

The contract change also required the company to notify the IRS within one hour after a breach is discovered, rather than within the previous time frame of 24 hours.

In addition, according to the officials, cybersecurity language in the IRS’s contract was modified to ensure better implementation and oversight of technical security controls.

Sorry, wrong answer :(
Right answer!

In June 2017, prior to the discovery of the breach, the IRS began a new acquisition for taxpayer identity and verification services by issuing a request for quotations to three consumer reporting agencies (including Equifax and Experian) holding contracts under the federal supply schedule.

The IRS selected Experian as offering the lowest-priced, technically acceptable quotation, for issuance of a fixed-price task order and establishment of a blanket purchase agreement.

Equifax filed a bid protest on July 5, 2017, with the government accountability office challenging the IRS’s evaluation of Experian’s quotation.

Equifax discovered the breach on July 29 and, after investigating it, announced the breach on September 7. On September 29, during the government accountability office’s consideration of the protest, the IRS awarded Equifax a short-term, sole-source contract for $7.25 million to cover identity and verification services during the time frame needed to resolve the protest. IRS considered these services “critical” and “cannot lapse.”

However, following the completion of its breach-related security assessments, the IRS issued Equifax a stop-work order to suspend its performance under the short-term, sole-source order.

The government accountability office denied Equifax’s protest on October 16, 2017, and the IRS proceeded with the task order issued to Experian for the taxpayer identity and verification services.

Starting September 21, 2018, you can freeze and unfreeze your credit file for free.

You also can get a free freeze for your children who are under 16. And if you are someone’s guardian, conservator, or have a valid power of attorney, you can get a free freeze for that person too.
Security freezes, also known as credit freezes, restrict access to your credit file, making it harder for identity thieves to open new accounts in your name.

You’ll need to contact all three of the nationwide credit reporting agencies (Equifax, Experian, and TransUnion) to request a credit freeze.

Tagged , ,