ATO puts businesses on notice over data storage and scam threats

There’s nothing like a couple of days being interrogated by a royal commission to laser-focus the mind of a senior public servant on the need to act ethically and transparently when entrusted with vast holdings of data obligingly extracted from the Australian public and businesses.

Australian Taxation Office’s second commissioner for client engagement, Jeremy Hirschhorn, has used his annual stump speech at the annual CFO Live Summit in Sydney to warn corporates they must not lose sight of matters moral when putting data to work.

It’s a prescient warning to the accounting elite from one of Australia’s most economically influential bureaucrats.

Just a couple of weeks ago, Hirschorn was in the witness box at the Royal Commission into the Robodebt Scheme, being very publicly quizzed about why his agency did not blow the whistle on the Department of Human Services, which was using data legally obtained from the ATO to concoct the massive illegal welfare shakedown.

“I would urge senior leaders of organisations to make sure that your people do not get excessively focused on the (necessary) legal and technical aspects of the use of data, and forget the ethical aspects,” Hirschorn told industry chiefs.

Those same chiefs are now fretting over successive cyber extortion hits on Optus and Medibank, a matter on which Hirschorn also shared some insight.

As one of the largest, if not the largest stores of personal data in the country, ATO has good reason to put industry on notice about what it’s seeing on the cyber front line as it persistently battles hackers and data thieves trying to sneak into its vaults to find avenues for fraud.

For commercial hackers and espionage players alike, up-to-date financial data (think account details) mixed with personal data is more like platinum than gold because it can be used to orchestrate high-value fraud hits targeting real cash.

“Operating in an increasingly digital environment means we must consider how we ensure the reliability of our digital services and safeguard our systems from ever-evolving cyber threats and fraud attempts,” Hirschorn said.

“To give you a sense of scale, the ATO holds about 50 petabytes of actively used data and processes about 20 billion transactions each year. On any given day, our systems block an average of approximately 90,000 malicious (attempted) connections per day — this is even higher during tax time — so about 3 million per month or one per second.”

The good news is that the ATO’s renowned technical aptitude is being put to good use in terms of hardening its systems, with the agency leading the federal government’s efforts to mint, authorise and process digital identity credentials into the broader Australian market.

The bad news is that when the ATO hardens up to the point that hitting the agency becomes uneconomical for hackers, the crooks move further down the food chain in their hunt for weaknesses and victims.

“As we harden our systems, criminals are seeking to access the broader tax system through other channels, like tax agent systems, superannuation funds or even taking over the identity of directors. Increasingly, we are seeing cascading penetration attempts, where criminals attempt to obtain information from different places before putting it together for fraud attempts,” Hirschorn said.

“An important development is the rise of cyber enabled fraud at scale (such as identity and information theft). Many organisations have focused on traditional cyber security, but may have a blind spot in relation to cyber enabled identity fraud (identity fraud may have been treated as a series of ‘one-off’ events). However, as criminals become more sophisticated, and large data leaks more common, the risk of an ‘at scale’ cyber identity fraud has dramatically increased.”

That’s bad news for tax agents and accountants because it means their systems are now in the firing line for hackers because they potentially provide a pipeline through which to access and manipulate ATO client data via authorised third-party access channels.

Hirschorn specifically called out “agent linking” to the ATO as a vector now being targeted.

“We’re seeing unprecedented, and increasingly sophisticated, efforts by criminals to impersonate legitimate users (such as authorised representatives of large businesses) to lodge fraudulent returns or gain access to data that they can make money from,” Hirschorn said.

“One of the ways we are boosting our front-end controls is by changing the process for a client-authorised agent to link to a taxpayer’s account. One tangible way in which you can help protect your companies against fraud is to make sure that your directors and employees with tax system access obtain a myGovID credential.”

Put more simply, the deputy head of tax is gently putting business on notice that while the government doesn’t require digital identity credentials for tax transactions, those without them are now clearly more vulnerable to the impending weaponisation of stolen data.

Tax is also clearly girding for an anticipated wave of fraud by increasing challenges to access attempts to mitigate the fraud risk by re-introducing clunkiness.

“If you get a message from us querying around access, please respond immediately — better to waste a little time on a false alarm rather than risk an identity fraud event,” Hirschorn said.

This article was first published by The Mandarin.