The hackers also succeeded quickly -- 63% within a half hour.
In an interview, Ponemon said he does not have statistics on how common that form of visual hacking is, but said the point of the research was to see how easy it would be. And it turned out to be disturbingly easy.
"This is the kind of thing that can happen if you're not aware of people wandering around where they don't need to be, like people coming into hospitals looking for people who might be famous celebrities," he said.
Other experts, while they agree that there is a risk, say this kind of visual hacking is extremely rare.
Lance Spitzner, training director for the SANS Securing the Human Program, said he has taught more than 600 security awareness officers and, "they have never really raised this as a concern, except for classified environments."
Monahan said the reason it is rare is because it is much more difficult -- it involves creating a plausible ruse to get inside a building, and once inside, there is more personal risk to a hacker who is identified.
And since it requires a person on-site, "it does not scale as well as remote and automatable hacking," he said.
"You can't collect the same volumes of data as you can with remote hacking," he said. "Try sitting in someone's office for 229 days collecting information like a remote attacker or visually recording 60 million data records."
He added that login information is nearly impossible to get, even if somebody is looking at a screen because, "the vast majority of password fields are masked. They might see it as someone types it or find it on a sticky note but that is still a time consuming effort, so small potatoes. Thousands of people have their credentials compromised daily by malware."
Ponemon doesn't dispute any of that, agreeing that visual hacking in an office likely will not yield anything close to the volume of data that a remote advanced persistent threat (APT) attack could collect.
But he said it can be very useful for "surgical," targeted attacks. "It's a matter of quantity vs. quality," he said. "It's for small amounts of very high-value material."
Christopher Hadnagy, CEO of Social-Engineer, is one expert who agrees. While it may not be the most common form of hacking, he said it is on the rise, in part because, "some attacks just must occur in person to be successful. Bank heists, art theft, stealing blue prints or physical hardware -- all require the attacker to be onsite." And Hadnagy contends it is not all that difficult. "Why spend 10 years digging a hole under ground if I can spend five minutes walking through the front door?" he said. "It is that mentality that lets the attacker take the risk. The reward outweighs the risk in their mind."
Sign up for CIO Asia eNewsletters.