Careless workers expose IRS data

Internal Revenue Service employees gave their passwords to auditors who posed as computer help-desk workers, a security breach that could allow taxpayers' personal information to be released to identity thieves.

The Treasury Inspector General for Tax Administration said 61 of 102 employees agreed to help a caller pretending to be a technician fix a problem by disclosing their passwords and then changing them to one suggested by the caller.

It's the third time since 2001 that IRS employees failed to protect passwords and follow security rules even after the agency provided extra training to workers to fix the problem.

"The corrective actions have not been effective," according to a report released by the Treasury Department in Washington, D.C.

"Employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work."

The IRS has 100,000 workers or contractors who have access to taxpayers' financial information. Each year, every employee is required to certify that they understand the password-protection security requirements, the report said.

In April, Inspector General J. Russell George said the IRS hadn't secured information on the 52,000 laptop computers issued to employees, and that almost 500 IRS laptops were stolen between January 2003 and June 2006.

"Despite repeated warnings, IRS workers continue to show reckless disregard for computer security," said Sen. Max Baucus, the Montana Democrat who heads the Senate Finance Committee.

"Continued failure in this area is leaving millions of American taxpayers vulnerable to identity theft and other fraudulent schemes."

The report said that hackers who cannot break into computer networks often turn to "social engineering" such as tricking people into revealing passwords or other sensitive information.