The Treasury Department inspector general has reported a distinct weakness in the security surrounding the IRS computer systems. Unlike the problems found with other security systems, this one is human.
The Treasury Department inspector general conducted a study to see if IRS employees could be manipulated into providing information that would compromise computer security. Treasury Department inspectors called IRS agents and managers posing as computer technicians. The inspectors told the employees that they were trying to fix problems with the computer network platform. They then asked the employess to provide the login and passwords for their administrative accounts. More than one-third of the agents provided the information and even allowed the inspectors to change the passwords.
The IRS has rules in place that prohibit employees from divulging passwords. Despite these rules, employees gave several reasons for providing the information. Some said they were not suspicious of foul play while others wanted to be helpful to the technicians. Some employees were suspicious, but were given permission to provide the information by the managers in their departments.
The taxpayer database maintained by the IRS contains incredibly valuable information. The hacks of Choicepoint and LexisNexus pail in comparison to a hack of the IRS database. Imagine a hacker getting access to the tax identification numbers of every person and business in the United States. Making matters worse, the database also contains the name and number of every account kicking out interest and dividends for each taxpayer including bank accounts and investment accounts. The exposure of such information would be a windfall for identity theft scams.
The IRS has responded to the study by sending an email to all employees alerting them of the rules regarding divulging information. You have to wonder how long the employees will keep it in mind.
