The Equifax saga took another turn for the worse on Thursday, when the Internal Revenue Service decided to temporarily suspend its $7.1 million data security contract with the credit reports company. The move follows the revelation that the scandal-riddled firm had suffered yet another cyber attack, this time redirecting users to malware.
“Following new information available today, the IRS temporarily suspended its short-term contract with Equifax for identity proofing services,” the agency said in a statement. “During this suspension, the IRS will continue its review of Equifax systems and security.”
However, the agency has emphasized that this is a temporary suspension taken out of precaution.
“The IRS emphasized that there is still no indication of any compromise of the limited IRS data shared under the contract,” agency spokesman Matthew Leas told Politico. “The contract suspension is being taken as a precautionary step as the IRS continues its review.”
The malware breach is the latest in a line of cybersecurity screw-ups for Equifax, which revealed in September that the data of 145 million people had been compromised, including addresses, social security numbers and bank account information.
The president of the world’s largest information technology trade group is now urging the agency to go one step further — and cancel the multi-million dollar contract outright.
“Equifax is known publicly to have security breaches, and they are not correcting them,” Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers, told CBS News. “Why are we spending all this money to give our data to a company that has clear problems with the technology?”
In this week’s breach, visitors were tricked into downloading a malware called Adware.Eorezo. Independent security researcher Randy Abrams, who visited the site to report incorrect information on his credit report, found Equifax offered up the malware at least three more times.
Watch the video below to see the download in action:
It’s unclear whether the redirect that serves up the malware is part of Equifax itself, or some sort of third-party advertising issue.