When it comes to the work at the IRS, most employees
are trained not to give it away for free. And they tend to do a good job — except when it comes to their computer passwords and login
information, according to a government report released this week.
More than one-third of IRS employees and managers handed over sensitive
login and password information to Treasury Department inspectors posing as
computer technicians, according to the Treasury Inspector General for Tax
Administration (TIGTA), an independent overseer of the IRS.
Once inside the IRS system, hackers could easily access sensitive
taxpayer information or damage the agency’s computer systems, the report
said.
Louis D. Garcia, a spokesman for TIGTA, said auditors called 100 IRS
employees and managers, posing as technology help desk employees requesting
network login and password information. They also asked employees to change
their passwords to ones the inspectors had suggested.
Of the 100 tested, 35 employees gave up their usernames and changed
their passwords, Garcia said.
“You can have the most secure technological system in the world, and it is
only going to be as strong as the people who operate it,” Garcia said. He
also noted that after receiving the information, inspectors queried the
employees about IRS policy concerning handing out password and login
information.
“Most everyone knew they weren’t supposed to do it,” Garcia said.
The good news for the IRS was that this year’s results were a 50 percent
improvement compared with a similar test performed in 2001, when 71
employees cooperated and changed their passwords.
“It’s still not acceptable,” Garcia said.
The report noted that some employees claimed they weren’t familiar with
the technique that is known as social engineering
The IRS has since sent an e-mail alert to all its employees about the
hacking technique and instructed employees to notify security officials if
they get such calls, according to the report.
The theft of personal information has been a sensitive issue in recent
months, as more and more thieves are finding alternative ways to gain access
to people’s Social Security numbers, bank account numbers and other forms of
identification.
Last month, credit-check company ChoicePoint notified 145,000 people of the potential of identity theft after the company’s computer system was broken into; and just last week, information publisher Reed Elsevier said one of its LexisNexis databases had been abused.
Although some employees admitted they could not find the caller’s name on
an IRS employee directory, they provided the information anyway. Some
even checked with their managers and received approval, the report said.