Something’s Fishy: IRS Awards Equifax A Major “No-Bid” Contract To Fight Fraud

On the surface, the IRS contract with Equifax is highly suspect and puzzling. Under the surface, however, there could be a deeper, more serious motive at stake…

First, for those not familiar with the Equifax data breach, or what to do about it, here it is straight from Federal Trade Commission:

If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.

Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

There are steps to take to help protect your information from being misused. Visit Equifax’s website, www.equifaxsecurity2017.com. (This link takes you away from our site. Equifaxsecurity2017.com is not controlled by the FTC.)

  • Find out if your information was exposed. Click on the “Potential Impact” tab and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.
  • Whether or not your information was exposed, U.S. consumers can get a year of free credit monitoring and other services. The site will give you a date when you can come back to enroll. Write down the date and come back to the site and click “Enroll” on that date. You have until January 31, 2018 to enroll.

The IRS has awarded a “no-bid” contract to Equifax to safeguard taxpayer data. Equifax was the target of a massive hack and data breach, there are possibilities of insider trading just prior to the public disclosure of the hack, and now, the IRS has just given Equifax a contract that apparently TransUnion nor Experian cannot execute, because the contract was not open for bidding.

As for the IRS awarding a no-bid contract to equifax, here’s more about the case from Politico:

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.

Former Equifax CEO Richard Smith, who stepped down after the breach, endured a bipartisan shaming Tuesday at a hearing of a House Energy and Commerce subcommittee. | Chip Somodevilla/Getty Images

The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

The IRS defended its decision in a statement, saying that Equifax told the agency that none of its data was involved in the breach and that Equifax already provides similar services to the IRS under a previous contract.

Equifax did not respond to requests for comment.

And this leads us to ask a deeper question that the MSM, Politico, and even Zero Hedge are failing to ask:

Is this contract a back-door payment for possible extortion or ransom?

Going back for the last couple of years, businesses, governments and organizations of all types have been hacked, and data has been breached, and the stolen data is held for ransom and the company is extorted for currency, usually of the cryptocurrency Bitcoin variety. Let’s look at a few examples of this. Some of the time, the businesses don’t lose (hard to call it a win), sometimes the hackers get want they want (hard to call it a win), and sometimes, it is a mix of the two. It all depends on the type of data, and what the data is used for.

Last Thanksgiving weekend (2016), the San Fransisco Muni Transit System was hacked. This caused ticket booths to be rendered useless, and free rides were provided as a work-around:

On the next picture, one can imagine the embarrassment when the public transportation system of one of the main U.S. tech hubs, which is supposedly one of the most tech savvy cities in the U.S, displayed a message saying “you’ve been hacked”:

The ransom was for 100 Bitcoins, which would now be estimated at $430,000 dollars. The city did not pay, and eventually the service was restored once the hot fix was able to restore the encrypted data.

Hospitals have paid, however. Once again, in the tech capital of the United States, California (what’s that say about our techs?), a hospital not only admitted that it got hacked, but that it also payed the ransom demanded by the hackers.

LOS ANGELES/BOSTON (Reuters) – While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news.

Hollywood Presbyterian Medical Center relented to the demands, President Allen Stefanek said, because he believed it was the “quickest and most efficient way” to free the Los Angeles hospital’s network, which was paralyzed for about 10 days.

This means that there is no standard response to extortion, ransoms, and all the other demands made by those who have done the data breaches. More on that later, but first, here’s three examples that show just how it truly is a case by case issue.

First, A Netflix “Orange is the New Black” was stolen and released after the company ignored the demands and the ransom:

A hacker this weekend published ten upcoming episodes of Netflix’s hit prison series Orange Is The New Black to a pirate Internet site, and claims it has unreleased footage from other studios including ABC, Fox, and National Geographic.

The hacker, which stole the material from a post-production service called Larson Studio, goes by the name the Dark Overload, and has claimed responsibility for other high profile data dumps, including from medical providers.

While the story dos not end there, it shows that the data breaches are serious. When data has been stolen, and if the demands are not met, the data gets out.

However, when the Game of Thrones was hacked, HBO offered $250,000, “to buy time” the network stated, and while HBO has more or less won in the Game of Thrones hack, it was still a serious data breach:

“As a show of good faith on our side, we are willing to commit to making a bug bounty payment of $250,000 to you as soon as we can establish the necessary account and acquire bitcoin.”

The offer may have been an attempt to stall for time, rather than a genuine proposal of payment. HBO came clean about the hack four days after the bug bounty payment was offered, telling the public that it had experienced a “cyber-incident, which resulted in the compromise of proprietary information”.

Here’s a quick video on HBO hacks:

 

To this day, HBO continues to be bothered by hackers and data breaches, and it’s not just Game of Thrones. HBO is again, even within the company, treating each issue on a case by case basis.

Here’s some additional damage that happened after the initial Game of Thrones data breach:

At around 11 p.m. ET, the @hbonow Twitter account was taken over by a group called OurMine. The same hackers also compromised the main @HBO and @GameOfThrones accounts.

The “Game of Thrones” Facebook page was also compromised with the hackercs posting about trying to get the hashtag #HBOHacked trending.

OurMine has been responsible for some high-profile hacks of social media accounts including several belonging to Facebook CEO Mark Zuckerberg and Google CEO Sundar Pichai.

In its posts, OurMine asked HBO to contact it. The posts were deleted after HBO regained control of the account, but users on social media posted screenshots.

Disney was hacked, supposedly, and admitted that the latest Pirates of the Caribbean film was being held for ransom. Disney did not pay, and it later was determined to be a hoax. This may be part of the reason why some companies pay ransoms, some ignore them, some offer something as payment, and some do nothing.

The hackers may or may not have the data they say they do, but that is only one side of the hack. The victim, such as Disney in this case, may or may not know exactly what the hacker has. It stands to reason that the companies do not want to let out what they know, because that would give the hackers leverage.

In the case of Disney, the steadfastness payed off.

Here’s more on the Disney non-hack:

Website TorrentFreak dedicated to all things torrent-related including hacking and piracy conducted its own “investigation” and suggested the demand from the hacker group was a hoax.

“Our conclusion was that the ‘hack’ almost certainly never happened and, from the beginning, no one had ever spoken about the new Pirates film being the ‘hostage’.

“Everything pointed to a ransom being demanded for a non-existent copy of The Last Jedi and that the whole thing was a grand hoax,” the website wrote.

And it turns they were right. The whole thing was much to do about nothing.

Following an FBI investigation, the Disney boss said there was no way that anybody had access to the films before they appeared in the cinema.

“To our knowledge, we were not hacked,” Mr Iger told Yahoo Finance over the weekend.

“We had a threat of a hack of a movie being stolen.

“We decided to take it seriously but not react in the manner in which the person who was threatening us had required.”

Hacking movie studios to hold content for ransom is a growing trend among cyber criminals but others, it seems, are hoping to get rich by simply pretending to do it.

So this brings us back full circle on the Equifax “data breach”. We know, based on the actions of other companies and organizations, that the company may or may not know what the hacker knows, and the company surely does not want the hackers to know what the companies are thinking, and so much of the information is kept internally within the company so as not to give the company leverage.

But this is a double-edged sword. If the company knows the breach is very serious, or if the result of the hack could be severely disruptive, like the breach could have been in the case of the San Fran Muni Trans, or if the hack could be life threatening, in the case of hospitals getting hacked, we can see that they company may indeed succumb to the extortion and ransom demands of the hackers. 

The point is that the company never wants to tell the public exactly what it knows, because, in essence, the hacker is learning that information too. 

So now we can arrive at this very odd “no-bid” contract just awarded to Equifax from the IRS.

Granted, both Equifax and the IRS do speak in ambiguities, and they have shown they are capable of serious and costly mistakes, so we must take any contract with a grain of salt as to the true intention, but let’s just ponder a few things for a moment.

Does the IRS withhold information, target certain individuals, have political agendas, or has it ever been clad in scandals?  We’ll leave that question as rhetorical although we’re pretty sure that everybody would say “all of the above”.

Does it stand to reason that Equifax will not share what it knows with the public, because the public includes the very hackers, data-breachers, and extortionists that would be looking to find out exactly what Equifax knows? If you have read this article in it’s entirety, you would say absolutely.

And that brings us to one final, serious, and downright plausible question:

Did the IRS and Equifax just set up an extortion or ransom payment scheme, under the cover of  a contract to protect the IRS from fraud, to respond to the data breach all the while keeping much of the information and intricacies hidden from the public?

Too long and jumbled? We can even get more precise:

Did the IRS and/or Equifax just pay an extortion and/or ransom for a data breach and/or hack?

Those are rhetorical questions. We will keep those answer to ourselves…