Washington (DC) - In a test to see how well its employees safeguard sensitive data, the IRS found that it was fairly easy for someone to gain access to system files.

The IRS ran a test by having someone pose as an internal technical support rep and call employees throughout the bureau.  The caller said there were technical problems and asked the employees to give them specific data.  Of the 102 people who got the call, 61 of them handed over their IRS user name and complied with the caller's request to change their password, according to a report by the Treasury Inspector General for Tax Administration.

This gave the caller access to sensitive computer files within the IRS databases.  The report says the 61 employees did not question the caller's identity, which puts the data of virtually every taxpayer at risk.

Only eight of the 102 employees contacted security officials to validate the identity of the caller.  The report urges the IRS to train its employees about these and other hacker tactics.

The IRS went through a similar test in 2001 and 2004.  After each case, it was determined security measures needed to be updated.  While it has added additional safeguards, the report said, "the corrective actions have not been effective."

I have an idea

Aug 03, 2007 15:55     

How about eliminating the IRS altogether? I think that would solve a lot more problems then just security IMO
Lowlife187 report abuse vote down vote up Votes: +0

usual stuff

Aug 03, 2007 18:14     

doesnt anybody think its pretty ironic? homeland security, dmca,...? and then a government institution cant protect its data? why try to hack when you can just call? whats the telephone number of the NSA/CIA? but ok... they should have been trained long ago, but human failure can occur, even on large scale... still it just shouldnt! *just dont think about it...*
RadEd report abuse vote down vote up Votes: +0

40% is an "F"

Aug 06, 2007 09:31     

It's obvious that as long as the money flows through the IRS no one in the gov't cares if it's done in a way that protects our citizens. People's sensitive personal data is exchanged through tax returns, ssn's, earnings, even bank account numbers. If you had malicious intent, odds are that you could get access to data on the FIRST call you made, and heck even if it took 100 calls that data can be extremely valuable. An acceptable breakdown rate would be .01% especially on these types of proceedural issues.

Meegus report abuse vote down vote up Votes: +0

Self Test, good

Aug 06, 2007 14:08     

I am glad it was their own people that were doing the test. Hopefully no outside person does the same thing before they learn to do it correctly.
TomLeeM/BigWarpGuy report abuse vote down vote up Votes: +0

I called and they gave me all the info

Aug 06, 2007 15:28     

I made the call to IRS and when I did the test for 100 people all the 100 of them gave me their user name and password. So I think the test conducted by IRS itself is fake and ridiculous. Close down the IRS
Vinu report abuse vote down vote up Votes: +0

I called IRS and got an internal password...

Oct 09, 2007 02:58     

...and I'm happy to say that: now I've paid up my taxes 320% for the next 15 years!! Thank goodness for social engineering... :)
boingo report abuse vote down vote up Votes: +0