More ATO tax hacking victims emerge as expert warns of myGov security issues
Many of those who have been hacked were using the same two-factor authentication security that the government is reminding people to adopt to protect their identities.
The federal government’s myGov system “is full of issues”, a cybersecurity expert says, as more people came forward with stories of how their accounts were hijacked by hackers and used to claim fraudulent tax refunds.
As Cyber Security Minister Tony Burke implored the public to use two-factor authentication security measures to protect their data, The Australian uncovered more cases of taxpayers who had their identities stolen, despite having that protection in place.
After The Australian on Monday detailed how hackers were infiltrating myGov to file bogus tax returns and collect the proceeds, Mr Burke issued a statement reminding Australians to take extra care online.
“We’re working every day across government to strengthen our cyber defences, but there are simple, effective steps that every Australian can take to keep themselves and their families safe online,” he said.
“Most cyber incidents are preventable, and basic defensive measures make a huge difference. Software updates, strong pass phrases and multi-factor authentication are essential defences for all Australians.”
Many of those who came forward on Monday with their stories of being caught up in the ATO tax hacking fraud said they already had two-factor authentication (2FA) security in place when their accounts were hijacked.
One subscriber to The Australian, Eric, said he had been affected by the hacking and was “astounded” by the ATO’s lack of responsibility for the situation.
“I have every one of their security measures in place but still someone hacked my account and changed my bank details,” he said.
“They just say they’ll work it out in time and in the meantime I’m $5000 out of pocket with no idea if or when they are going to allow me to put in my tax return. It would seem they have a monumental flaw in their system but don’t want to take responsibility.”
Another subscriber named Mal described how hackers had been able to access his myGov account while he slept, despite triggering the 2FA.
“The (2FA) had been sent as an SMS to me and still the hacker got in without having access to that code. That morning they accessed my account three times; the first time the hacker was in there for 15 minutes. I rang the appropriate government department about it and they weren’t really interested,” they said.
A reader named Mark described how hackers replaced his longstanding accountant with themselves without either himself or the accountant being notified. The hackers then changed the bank account details linked to the account and filed a bogus tax return for a large refund.
When his accountant tried to file Mark’s genuine tax return, the accountant realised he was locked out of the account.
“The ATO wouldn’t help him because, according to them, I’d changed accountant,” Mark said.
“They let slip to him that they were about to pay a significant return to my ‘new’ account. It was simply good fortune he picked it up and was able to stop it. That led to days of mess and an ongoing disaster for me, all compliments of non-existent security from the ATO.”
A reader identified as Chica said they had a similar experience, with the hackers making adjustments to tax returns from previous years and collecting the enlarged refunds. “To make matters worse they had no idea till I rung to find out where my refund was,” Chica wrote. “It’s been a nightmare dealing with the ATO.”
Curtin University Department of Computing head, associate professor Mihai Lazarescu, told The Australian he had made a point of trying to avoid myGov given “the whole system … has many issues”.
He said people were wrong to think 2FAs were bulletproof, and not all 2FA security systems were as strong as others.
Allowing third parties such as tax agents to access myGov on their client’s behalf opened up another security weakness.
“This is not because they’re not trying to do the right thing, but the road to hell is paved with good intentions and I think that applies here very well,” Professor Lazarescu said.
“Particularly older people, I think they’ve been really, really badly let down. It’s the sort of thing that you probably want to introduce over a long time and really explain to people exactly what is going on. Because trying to force people to use the system where third parties like your tax accountant also deal with it, it’s a recipe for disaster”.
On Sunrise on Monday morning, Social Services Minister Tanya Plibersek said Mr Burke and the National Office of Cyber Security were “right on this”.
“It is obviously a very concerning story and we’ll be using all of the resources of government to continue to make sure Australians are safer online,” she said.
Nationals leader David Littleproud described the incidents as “deeply concerning”.
“The government needs to be able to be transparent that they are actually on the job, because if you don’t have confidence and faith in government institutions and processes that keep our society together, that erodes trust,” he said.
Add your comment to this story
Carbon war: it’s the offset firm versus green activists
A major carbon player has joined dozens of corporates walking away from the federal government’s flagship carbon offsets scheme.
Energy bill rebates must end: Albanese’s welfare experts
Members of Anthony Albanese’s welfare working group are pushing Labor to end its $6.8bn power bill rebates and funnel taxpayer money into solar panels and renewable batteries for poorer Australians.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout