HACKS SEASON

The IRS is paying Equifax millions for a login system that has been hacked—twice

To confirm that US taxpayers are who they say they are, the Internal Revenue Service (IRS) uses an identity verification system made by credit-rating agency Equifax. The system, known as Knowledge-Based Authentication, or KBA, asks questions based on a person’s credit history, such as “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?”

In 2015, the Equifax KBA system used by the IRS was hacked in a data breach that resulted in the loss of more than 700,000 tax records. Equifax revealed a month ago that it was itself hacked earlier this year, leading to the theft of 145.5 million people’s data.

And last week the IRS awarded a $7.25 million contract to Equifax to continue using its KBA system.

The IRS data breach in 2015 occurred after hackers broke into the agency’s website through its “Get Transcript” page, which allows users to obtain past tax records. It’s never been clear how hackers managed to correctly answer the KBA questions for 724,000 Americans, but experts have speculated that they must have used data stolen in previous data breaches.

In the Equifax breach last month, the stolen data included “names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers,” according to a statement by the company. “In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

While such data could potentially be useful in hacking KBA systems, particularly those provided by Equifax itself, the IRS told Quartz in a statement that “simply having Equifax data would not be enough for a bad actor to access the system,” and added that the new Equifax contract was “awarded to Equifax to prevent a lapse in service,” and is a “short-term contract.”

“Equifax advised us that no IRS data was involved in their breach,” the statement said. “Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems. At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”

No IRS data may have been stolen, but as long as the IRS relies on Equifax’s KBA system, it is partially relying on a system powered by the data that Equifax keeps on its customers, some of which has now been stolen.

Following the 2015 breach, the IRS shut down the Get Transcript page that used Equifax’s KBA system, and gave the victims of the breach “Identity Protection PINs,” which are secret codes they must now put on all of their tax returns. If someone were to lose their PIN, they could retrieve it by logging into the “Get IP PIN” service on the IRS website. But that login process was also secured by Equifax’s KBA, and was also hacked. Like the Get Transcript page, the Get IP PIN page was subsequently shut down.

Today, however, both the Get Transcript and Get IP PIN pages are up and running on the IRS website. They each require credit history information for verification. It’s unclear whether those pages still use the data from the previously hacked Equifax KBA system. When asked if they do, the IRS declined to comment, but pointed out that applications like Get Transcript now use additional security measures when a user logs in, such as sending a one-time code to her cellphone.

Related articles:

The IRS is using a system that was hacked to protect victims of a hack—and it was just hacked

A rare detailed look inside the IRS’s massive data breach, via a security expert who was a victim

home our picks popular latest obsessions search