The tax ombudsman will push the Australian Taxation Office to spell out a clear timeline for tightening its online security, amid fresh revelations about breaches that have seen hackers repeatedly claim fraudulent payouts.

Ruth Owen, the Inspector-General of Taxation and Taxation Ombudsman, told The Australian that while the ATO had made some improvements to its online security, it still fell short of standards Australians would expect.

“There are millions of people about to complete their tax return during tax time and to not have the confidence that their personal data and their money is safe with the ATO is an ongoing concern, I think, for … everybody,” she said.

“We’re still looking for the ATO to match our experience that we have now with most of our banking experiences, where if something happens on your account, there’s an SMS on your phone or you get an alert pretty quickly and you’re confident, or as confident as you can be, that it can be stopped quickly before the scammers or fraudsters get away with your money.”

The Australian on Monday revealed how criminals were accessing ATO accounts through myGov and bypassing two-factor authentication measures. Once in those accounts, those criminals would change the individuals’ bank account details, file or amend tax returns, and make off with fraudulent refunds.

Experts believe the criminals are using data and especially tax file numbers collected through various hacking episodes, including those against superannuation funds, to find their way into individuals’ accounts.

That story prompted an outpouring of similar accounts from other taxpayers, many of whom said it had taken a year or more to sort out the resulting administrative issues.

Assistant Treasurer Daniel Mulino sought a briefing by the ATO on Monday afternoon on what measures they were taking to strengthen their systems.

Ms Owen said while the ATO had made progress around strengthening its multi-factor authentication systems and on identifying suspicious activity, it still had work to do on flagging and verifying actions that could point to infiltration by hackers.

She said she wanted the ATO to put on the record a timeline for addressing the remaining weaknesses in the system. “This is not something that’s going away, so what’s the next step that they need to take and when will we see it?” she said.

“For me, it needs to be that authentication and it needs to be the prevention or alerts when they need to verify the most obvious of things, like a change of tax agent or of bank account.”

While tightened security processes may slow down the process and add another layer of complexity, Ms Owen said she believed most consumers would be prepared to wait if it reduced the risk of fraudulent returns getting through the system.

“I think personally people would be more comfortable having their transaction delayed by a few days and making sure it’s going to the right person,” she said.

Ms Owen said a “significant” proportion of the complaints received by her office related to individuals who had had their accounts hacked.

Many of those had been locked out of their accounts while the matter was investigated, delaying them from filing legitimate refunds and causing an additional administrative burden.

Ms Owen said she had seen first-hand the efforts the ATO was making to try to help those caught up in the scam but she said the need for it to weed out scammers from legitimate victims complicated the process.

“I was sitting with the team in ATO who manage these calls last week, actually, and they do a good job in addressing people in high levels of distress, to calm them down and help them understand that their account can be locked down,” she said.

“The empathy is definitely there, but it does take them quite a long time to get to the bottom of who was at fault because obviously some of the scammers are actually the people that ring up and say ‘My account’s been hacked’ when it was them. So they do need to do a little bit of detective work, which is why I guess some people feel like the finger of suspicion falls on them.”

The cost-of-living crisis meant it was even more important for the ATO to address the issue.

She said many of those who had contacted her office were relying on tax refunds as an important part of family expenses, which meant hacking attacks could cause “severe distress”.

Asked about the ombudsman’s comments, a spokesman for the ATO encouraged people to use the myID authentication system when interacting with myGov and the ATO’s online services. “The ATO works closely with the tax ombudsman and values the reviews she and her team undertake, including their recent review related to identity theft,” he said.

Paul GarveySenior Reporter

Paul Garvey is an award-winning journalist with more than two decades' experience in newsrooms around Australia and the world. He is currently the senior reporter in The Australian’s WA bureau, covering politics, courts, billionaires and everything in between. He has previously written for The Wall Street Journal in New York, The Australian Financial Review in Melbourne, and for The Australian from Hong Kong before returning to his native Perth. He was the WA Journalist of the Year in 2024 and is a two-time winner of The Beck Prize for political journalism.

@PDGarvey

More related stories

Nation

International crime-fighter Kaldas scores top cop job in Abu Dhabi

Former NSW deputy police commissioner Nick Kaldas, who has previously worked in Iraq, Lebanon, and Jordan, has been appointed Assistant Commander in Chief of the Abu Dhabi Police Force.

Read more

Indigenous

‘Self-identifying activists undermining genuine Aboriginal democracies’

Wiradjuri leader Roy Ah-See, a former PM Indigenous policy adviser, says self-identifying Aboriginal activists are breaking apart a network of NSW land councils, threatening one of Australia’s few ‘effective Aboriginal democracies’.

Read more