Former chairman and CEO of Equifax Richard F. Smith testifies before the Digital Commerce and Consumer Protection Subcommittee of the House Commerce Committee on Capitol Hill in Washington. (AP Photo/Carolyn Kaster)

WASHINGTON — Senators expressed bewilderment Wednesday that credit reporting company Equifax, under siege after a data breach affecting more than 145 million people, has received a $7.25 million contract with the IRS to provide taxpayer and personal identity verification services.

“Why in the world should you get a no-bid contract right now?” Sen. Ben Sasse, R-Neb., asked former Equifax CEO Richard Smith at a Senate Banking, Housing and Urban Affairs Committee hearing.

Sasse’s indignation was soon topped by Sen. John Kennedy, R-La., who said, “You realize to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the mini-bar.”

“I understand your point,” Smith said in response to Kennedy’s observation and reference to the actress who has struggled with drugs and alcohol.

Smith testified at the second of four congressional hearings this week in which lawmakers demanded to know how the breach happened and what the company was doing to make things right for consumers. Hackers stole Social Security numbers, birth dates, addresses and other personal information.

Smith said he didn’t know many details about the contract, but he explained that it was for work Equifax has done in the past for the IRS and he thought it was being renewed. He also said he believed the contract was “to prevent fraudulent access to the IRS.”

The former chairman and CEO of Equifax says the challenge of responding to the concerns of tens of millions of consumers in the wake of a massive data breach proved overwhelming, and regrettably, his company made mistakes. (Oct. 3)

The contract says Equifax was the only company capable of providing the services, and it was deemed a “critical” service that couldn’t lapse.

Sen. Heidi Heitkamp, D-N.D., said Equifax forced the IRS to take the contract for another year after issuing a protest. She called on Smith to tell the IRS that it’s fine to take the contract somewhere else.

The IRS had no immediate response.

Smith resigned after the breach was announced. No current Equifax employees testified at the hearing.

Lawmakers were also harshly critical of the company’s data security.

Ohio Sen. Sherrod Brown, the committee’s top Democrat, said consumers should have expected their most private information would have state-of-the-art protections.

“A gold mine for hackers should be a digital Fort Knox when it comes to security,” Brown said.

Sen. Elizabeth Warren, D-Mass., said Equifax didn’t have enough incentive to ensure consumer data was secure. She said the breach means consumers will spend the rest of their lives worrying about identity theft and businesses will lose money to thieves, but the company itself will come out of the crisis just fine.

Warren has called for changes in how credit reporting agencies operate. She said consumers should decide who gets their financial data, not companies such as Equifax. She is also calling for stiffer penalties when breaches do occur.

“When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen,” Warren said.

“We’ve got to change this industry before more consumers get hurt,” she said.