Representatives from the office of the Treasury Inspector General for Tax Administration (TIGTA) posing as help desk technicians contacted a random sample of 102 IRS employees, including managers and a contractor, by telephone. During the course of the phone calls, which occurred on a single day, 61 of the 102 IRS employees, or 60 percent, agreed to provide their user names and passwords to the strangers on the telephone.
Only eight of the 102 employees contacted followed proper procedure and reported the contact to appropriate IRS personnel.
Senator Max Baucus (D-MT), chairman of the Senate Finance Committee, referred to the results as being demonstrative of "reckless disregard for computer security" on behalf of millions of American taxpayers, leaving them "vulnerable to identity theft and other fraudulent schemes."
A report released by the U.S. Treasury Department stated, "Employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work."
One third of the IRS employees who volunteered their passwords stated that they believed the calls to be legitimate, and some even stated that they were experiencing difficulty with their computers before they got the bogus help desk call.
TIGTA conducted similar tests in 2001 and 2004. In the 2001 test, 75 percent of IRS employees provided their login information to callers; in 2004 the number had decreased to 35 percent.
TIGTA has recommended that the IRS conduct additional security awareness training and internal social-engineering tests.
You can read the complete report.