In an audit of IRS security rules by the Treasury Inspector General for Tax Administration, it appears that they were able to successfully social engineer IRS employees into improperly disclosing their user names and passwords — a staggering 61% of the time.
According to the report, a caller posed as a technical support person and contacted 102 employees. On the pretext of solving a computer problem, he attempted to persuade them to temporarily change his or her password to one based on his suggestion.
Excerpt from SignOnDiego.com:
Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request… Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.
The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.
The especially disturbing part here is the revelation that IRS actually took many measures to improve their security awareness after two similar test telephone calls in 2001 and 2004.
The report sums the efforts: “… the corrective actions have not been effective.”
It is needless to say that the employees were putting the IRS at risk of providing unauthorized people access to taxpayer data. Still, is this case simply a sign of the impossibility of educating end-users, especially in a large corporation or organization spanning multiple locations, or is it due to the lack of a proper system?