One of the pandemic “winners” – a member of a large group of companies that appeared and grew exponentially to serve the needs of the government in its chosen way of handling the situation, as most of the economy was standing still – now appears to be in trouble.
ID.me's business is digital identity verification, and it says that its job is to simplify how individuals securely prove and share their identity online.
It can be used by governments, who want to allow citizens access to services. In the US, the company was contracted by the Internal Revenue Service (IRS) earlier this year to implement an authentication project that has since, according to reports, faced problems.
ID.me also secured dozens of other contracts, including with Social Security Administration, Department of Veterans Affairs, and many state unemployment agencies.
And now three US senators – Robert Menendez, Ed Markey, and Ron Wyden – claim that the “secure” part was not exactly as ID.me promised it would be.
According to a Business Insider report, these three senators accused the company of recklessly and irresponsibly handling biometric and other personal data of citizens. And they would reportedly like to use this case as an argument in favor of bolstering privacy laws at the federal level.
The need for ID.me's services grew much faster than the company itself was able to do, which has apparently led to sloppy security practices, such as leaving user data exposed on internal chats, insecure internal dashboards, meaning that personal data of job-seekers, veterans, and others was accessible to anyone with a company computer – including customer service that was hiring people in a hurry, even before background checks.
The company denied that it had poor security in place, telling Business Insider that the user information security was “top priority” for ID.me, and that there had been “independent evaluations” to prove that.
Staffers who spoke on condition of anonymity, however, said that the growing business brought on by the pandemic caused a “frenzy” in trying to grow a workforce of 40 people in early 2020 to 1,500 by the end of that year.
“Best practices and explicit privacy rules in some cases were ignored in order to move the incoming ID requests,” sources are quoted as saying.