NewsBite

Advertisement

This was published 2 years ago

Two years after personal data was stolen the old-fashioned way, the fraud continues

By Sally Rawsthorne

Almost two years after a break-in at a suburban tax agent in Sydney’s north-west, victims whose identities were compromised remain powerless to stop ongoing attempts at fraudulent tax returns in what experts warn shows the long-reaching consequences of data theft.

When Income Tax Professionals at Baulkham Hills was broken into over Christmas 2020, thieves took a number of paper files and one of the firm’s computers.

At least six fraudulent tax return attempts have been made against one victim who spoke to the <i>Herald</i>.

At least six fraudulent tax return attempts have been made against one victim who spoke to the Herald.Credit: Jim Rice

The perpetrators were never caught, NSW Police said.

“Both of our locks, the door and the door framing were broken,” read an email from ITP to customers obtained by the Herald.

Loading

“While we do not know if the material stolen will be used to enable identity theft or other crimes of fraud, we wanted you to know of this theft so you could be aware of the risk and the possibility that you may be targeted by scammers.”

ITP was contacted for comment.

Six months passed before the thieves – or whoever they had given or sold the data to – attempted to use it, said one victim, who asked not to be named because of ongoing fraud issues.

“It started at tax time, the first attempt at a fraudulent tax return was on July 21,” he said.

Advertisement

Five subsequent attempts at a fraudulent tax return have been made, each necessitating frustrating hours on the phone with the ATO; the thieves have also attempted to re-route the Business Activity Statement he must lodge quarterly for his business to a fake myGov account created with his compromised tax file number to claim a GST return.

Loading

“In one conversation over the phone, the ATO officer said the tax return refund was in the vicinity of mid-thousands,” he said.

“That’s not a huge amount of money, but it will add up quickly if they can successfully make those claims against a number of people.”

Troy Hunt, cybersecurity expert and creator of the “Have I Been Pwned?” data breach notification service, said it shows that data theft can have long-term consequences for an individual, although he cautioned it is difficult to attribute fraudulent activity to a particular breach because they are so frequent.

Loading

“So much data is leaked in so many places, when there is fraudulent activity the causation is difficult,” Hunt said. “Proving it was this one that resulted in your breached identity depends on the class of activity – for instance, passports and driver’s licences don’t appear in many data breaches; there’s a scarcity factor – while emails and phone numbers appear quite frequently.”

In order to avoid spending hours on the phone with the ATO every time a fraudulent attempt is made, the victim has requested a new tax file number, to no avail.

“It’s very frustrating, it would solve the problem for me immediately,” he said.

Asked why it refuses to provide new tax file numbers, the ATO issued a statement saying it “takes identity theft and fraud very seriously”.

“It is important to note that in order for a third party to gain access to an ATO client account the third party must hold more information about the client than just their TFN. The third party would need additional personal identifying information to achieve this. Given that the TFN in isolation does not provide access to an ATO client account, replacement of the TFN will not necessarily remediate a situation where third-party access or fraud has already occurred. However, where replacement of the TFN will result in protecting the client account, this may be offered.”

Instead of issuing new tax file numbers, Hunt thinks situations like this represent an opportunity to rethink the way in which Australian institutions approach data security.

“Our dependency on identifiers that are quasi-secret is a problem – they are so important for who we are, but they’re sent around between agencies. I’d like to see a lot more focus on how we do identify verification and the usability of the technology in a phone or a watch, like an iPhone’s biometric facial identifier, rather than a tax file number.”

Our Breaking News Alert will notify you of significant breaking news when it happens. Get it here.

clarification

Troy Hunt is not a Microsoft executive as originally reported, but rather a Microsoft regional director, a title the tech giant gives to non-employees as part of a program that “recognises the world’s top technology visionaries”.

Most Viewed in National

Loading

Original URL: https://www.watoday.com.au/national/two-years-after-personal-data-was-stolen-the-old-fashioned-way-the-fraud-continues-20221001-p5bmf8.html