IRS employees fail computer security test

Posted by Mark Raby

Washington (DC) - In a test to see how well its employees safeguard sensitive data, the IRS found that it was fairly easy for someone to gain access to system files.

The IRS ran a test by having someone pose as an internal technical support rep and call employees throughout the bureau.  The caller said there were technical problems and asked the employees to give them specific data.  Of the 102 people who got the call, 61 of them handed over their IRS user name and complied with the caller's request to change their password, according to a report by the Treasury Inspector General for Tax Administration.

This gave the caller access to sensitive computer files within the IRS databases.  The report says the 61 employees did not question the caller's identity, which puts the data of virtually every taxpayer at risk.

Only eight of the 102 employees contacted security officials to validate the identity of the caller.  The report urges the IRS to train its employees about these and other hacker tactics.

The IRS went through a similar test in 2001 and 2004.  After each case, it was determined security measures needed to be updated.  While it has added additional safeguards, the report said, "the corrective actions have not been effective."