More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.
The report by the Treasury Department's inspector general for tax administration reveals a human flaw in the security system that protects taxpayer data.
It also comes on the heels of accounts of thieves' breaking into computer systems of private data suppliers ChoicePoint Inc. and LexisNexis.
The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.
"We were able to convince 35 managers and employees to provide us their username and change their password," the report said.
That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.
"With an employee's user account name and password, a hacker could gain access to that employee's access privileges," the report said.
"Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee's username and password," auditors said.
With some knowledge of IRS systems, such an employee could more easily get access to taxpayer data or damage the agency's computer systems.
Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords.
Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical.
Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
Within two days after the test, the IRS issued an e-mail alert about the hacking technique and instructed employees to notify security officials if they get such calls. The agency also included warnings into its mandatory security training.
