Between March and July of this year, the credit rating agency Equifax, was infiltrated by hackers who made off with the sensitive personal information of more than 140 million Americans. That sounds like the kind of thing that might hurt a company’s credibility when it comes to security. But Politico is now reporting that the IRS will pay Equifax $7.25 million to “verify taxpayer identities and help prevent fraud.”

A synopsis of the contract, published by the Department of the Treasury on September 30, notes that the contract was a “sole source order,” meaning the IRS didn’t shop around for competitive bids. That’s because it’s in a contract dispute with a former security provider, and doesn’t want to let consumer protections lapse. Why Equifax was singled out for the job is another question.

A no-bid contract for critical consumer protection would be a sad state of affairs, even if the credit agency chosen for the job hadn’t been taken to task by hackers earlier this year. But it’s much worse when you consider that this year Equifax was hacked not once, but twice, neglected to notify consumers of the breach for months, and botched their response so badly that CEO Richard Smith was forced to step down.

Law makers took turns chastising Equifax this morning at a House Energy and Commerce subcommittee. Smith blamed the intrusion on a single employee, who he says did not communicate with team members about deploying a security patch for a known vulnerability. “Both the human deployment of the patch and the scanning deployment did not work,” Smith told Congress. “The protocol was followed.”

Legislators had their sound bites prepped and ready during the hearing. "It's like the guards at Fort Knox forgot to lock the doors,” said Republican chairman, Greg Walden of Oregon during the hearing. Asking Equifax to protect identities and prevent fraud for the IRS — an organization with its own identity theft issues — is like hiring the fox to guard the hen house. For $7.25 million.