The callers were actually U.S. Treasury auditors testing how easily hackers could access Americans' personal financial information.

The result: Too easily. Sixty-one tax workers complied.

The auditors, from the Treasury Inspector General for Tax Administration, conducted similar exams in 2001 and 2004, recording failure rates of 71 percent and 35 percent, respectively. Both times, the IRS took "corrective actions" to raise awareness about data protection among agency staffers.

But, as Treasury auditors dryly noted, those actions "have not been effective."

The appalling IRS performance highlights a crisis within America's elaborate system of sensitive data: Internet users, businesses and guardians of information alike are doing a terrible job of self-protection.

From eBay to Ford, from UCLA to the laptop on your kitchen table, Americans have left themselves vulnerable to vicious cybercriminal assaults. Citizens unwittingly click on Internet links that drop malware on their computers; major corporations allow PCs inside their firewalls to be taken over remotely by criminals; bureaucrats in charge of our precious private information can easily be duped out of their passwords.

In the past few years, about one private record for every two Americans has been stolen via data breaches alone. Internet crime's total yearly cost to U.S. businesses, including indirect expenses like paying employees to repair hacked systems, has risen as high as $67 billion, according to an FBI analysis last year. Hundreds of millions more are lost by Americans who fall prey to online scams or malicious software. Many who don't consider themselves "victims" may face higher bank fees or depressed investments from companies that took losses as a result of Internet crime.

'Botnet' warning: Computer-breach alert issued
Rick Wesson thought Oracle would be alarmed when he told Mary Ann Davidson, its chief security officer, that online criminals were assimilating several Oracle computers into robot networks, or "botnets," then using them to send malicious e-mail to PayPal customers.

Wesson, who has testified before Congress on cybersecurity, runs Support Intelligence, a start-up that helps businesses identify and track malicious traffic spewing out of their systems. His firm has reported finding bot invasions inside companies such as Intel and Aflac.

Davidson was hardly alarmed. She directed Wesson and his partner to the Oracle security group that manages the door locks and cameras, and watches the parking lot. An Oracle spokesman recently shrugged off Wesson's charges, suggesting the spammers may have cloaked their e-mails to make it seem as if they came from Oracle computers.

But Wesson said his firm corrects for such spoofing. To him, the episode was the latest in a disappointing series of incidents of avoidance and neglect on the part of big business in responding to botnets. A few computers sending out spam may seem harmless to many organizations, but compromised corporate machines could allow thieves to access documents rife with trade secrets, insider data in executives' e-mail, and databases of private employee information. (Intel and Aflac both confirmed isolated problems in which no data was compromised, and have taken measures to correct the vulnerabilities.)

Others support Wesson's findings.

Symantec estimates 4 percent of malicious Internet activity comes from networks of the nation's 100 largest companies.

"This has gotten deep inside corporate America; this is in government; this is everywhere," said Ashar Aziz, chief executive of Menlo Park, Calif., anti-botnet start-up FireEye.

Holes unpatched: Convenience often trumps security
Botnets are only the most recent Web threat to hit corporate America. If companies fail to regularly update their Web sites with software patches, hackers can take information or leave malware behind.