Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Freely Gives Out Employee User Name/Password Info

Posted by Zonk on from the thanks-uncle-same dept.

An anonymous reader writes "The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS's 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. 'Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller ... The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.'"

1 of 146 comments (clear)

  1. It took this long for this to hit /.? by Invidious · · Score: 5, Interesting

    Actually, I work for the IRS, so let me set the record straight. I've seen the original paper, which was published months ago: the users involved didn't give out their passwords, they changed them to one requested by the "tech support" person (and these calls came in to extensions which the public doesn't really have access to, for the most part.) Still highly stupid, but most of the people at the IRS don't know much about computers, and while they've generally got "don't give out your password" down, they didn't seem to equate this to "if you change your password to something someone suggests, that's the same thing."

    Also, this is mostly an internal threat; without access to the IRS intranet, I'd say that 99% of those compromised accounts would be useless to someone outside the IRS.

    But, whatever. This is what happens when you have what amounts to a major data center staffed primarily by people who're just barely computer literate. AFAIK, memos about the problem have gone out to ~everyone and meetings have been held at the lowest levels to inform the staff that doing this is Bad.

    What's really fucked up is that several of the employees that fell for this were at the highest GS levels. I can understand how the problem would be prevalent among the lower-level off-the-street employees, but you'd think that someone who was getting paid $100K+ a year would have a clue about data security.