When it comes to the work at the IRS, most employees are trained not to give it away for free. And they tend to do a good job -- except when it comes to their computer passwords and login information, according to a government report released this week.
More than one-third of IRS employees and managers handed over sensitive login and password information to Treasury Department inspectors posing as computer technicians, according to the Treasury Inspector General for Tax Administration (TIGTA), an independent overseer of the IRS.
Once inside the IRS system, hackers could easily access sensitive taxpayer information or damage the agency's computer systems, the report said.
Louis D. Garcia, a spokesman for TIGTA, said auditors called 100 IRS employees and managers, posing as technology help desk employees requesting network login and password information. They also asked employees to change their passwords to ones the inspectors had suggested.
Of the 100 tested, 35 employees gave up their usernames and changed their passwords, Garcia said.
"You can have the most secure technological system in the world, and it is only going to be as strong as the people who operate it," Garcia said. He also noted that after receiving the information, inspectors queried the employees about IRS policy concerning handing out password and login information.
"Most everyone knew they weren't supposed to do it," Garcia said.
The good news for the IRS was that this year's results were a 50 percent improvement compared with a similar test performed in 2001, when 71 employees cooperated and changed their passwords.
"It's still not acceptable," Garcia said.
The report noted that some employees claimed they weren't familiar with the technique that is known as social engineering , while others just wanted to be helpful to the computer technicians.
The IRS has since sent an e-mail alert to all its employees about the hacking technique and instructed employees to notify security officials if they get such calls, according to the report.
The theft of personal information has been a sensitive issue in recent months, as more and more thieves are finding alternative ways to gain access to people's Social Security numbers, bank account numbers and other forms of identification.
Last month, credit-check company ChoicePoint notified 145,000 people of the potential of identity theft after the company's computer system was broken into; and just last week, information publisher Reed Elsevier said one of its LexisNexis databases had been abused.
Although some employees admitted they could not find the caller's name on an IRS employee directory, they provided the information anyway. Some even checked with their managers and received approval, the report said.
IRS Giving Goods Away
