The TIGTA (Treasury Inspector General for Tax Administration) has recently run a survey of the IRS to determine how well the agency would respond to a little old fashioned social engineering.
TIGTA callers posed as helpdesk representatives and requested assistance changing a password. The results are quite surprising:
“In 61 of 102 cases, the TIGTA caller was able to convince an IRS employee to change his or her password as requested. Furthermore, only eight of the 102 IRS employees contacted actually contacted the audit team, the Treasury Inspector General for Tax
Administration Office of Investigations, or the IRS computer security organization. These results indicate an ongoing problem for the IRS: in 2001, 71 percent of employees were willing to reveal password data. While this number fell to only 35 percent in 2004, that sharp decline appears to have all but reversed itself.”
The TIGTA report on the study goes on to suggest that a program of continued education be instituted in order to better protect sensitive data.