• Great articles on other sites
  • RSS Great articles on other sites


  • Renai's other site: Sci-fi + fantasy book news and reviews
  • RSS Renai LeMay

  • Blog, Enterprise IT, Security - Written by on Monday, February 11, 2013 16:03 - 3 Comments

    ATO suffers minor IT security breach

    tax1

    blog We’re constantly hearing more and more about how “cyber” security is the next big bad, but concrete examples of how Australian Government infrastructure has been broken into are still thin on the ground. One incident to pop up last week has been what appears to be a relatively minor breach of an Australian Taxation Office portal through the logins of a number of tax agents. The Sydney Morning Herald reports (we recommend you click here for the full article):

    “Fears have been raised about the security of Australian taxpayers’ information after four tax agents’ account details were illegally used by third parties.”

    The SMH report was quite sensationalist in nature (we know, not surprisingly for the newspaper), but it does look like quite a substantial amount of investigation has been carried out into what took place here. Also, note that we may see more on this in future, as the SMH reporter who wrote the story has filed a Freedom of Information request for further information from the ATO. However, the ATO doesn’t feel as though the SMH got everything right, and has issued its own statement on the situation:

    “It has been reported today that taxpayer information is at risk after criminals stole the identity of four tax agents. The report suggested that all Australian taxpayers’ information was under threat. This is incorrect. The identities of four tax agents were stolen and used to fraudulently obtain AUSkeys giving access to specialist tax agent online services (tax agent portal).

    The ATO has contained the threat and cancelled the AUSkeys. We are working with the affected tax agents to ensure their practices and information is secure. Doing business online has benefits, but it also comes with risks. People looking to commit identity fraud constantly look for ways to profit so it is critical to remain vigilant regarding your personal information and online security. Online fraud can be complex and multilayered. We are investigating the incident and working with relevant law enforcement agencies.”

    So where’s the truth here? We suspect it’s somewhere in the middle between these two views. Was this a serious breach, with the taxation files of millions of Australians at risk? Not really. The ATO’s systems look to be a little bet better protected than that. But equally, was this just an incident of no consequence? Again, not really. The intrusion did have the potential to see some sensitive tax information stolen.

    In our experience, this kind of outcome is pretty much the norm in the IT security industry. When a break-in initially occurs, it’s panic stations, followed by a gradually calm-down as the realisation hits that nothing that sensitive was accessed. It will be interesting to see if more such security breaches occur over the next few years in the Federal Government.

    Image credit: Matt Aiello, royalty free

    Print Friendly

    3 Comments

    You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    1. GongGav
      Posted 11/02/2013 at 7:19 pm | Permalink |

      Not sure how much I can say, but the blunt reality is that the risk to taxpayers was very very small. You’ve pretty much nailed it Renai, it wasnt an overly serious issue, but equally there will naturally be consequences.

      Look at it a different way. The ATO discovered the issue very early on, and acted on it accordingly. So as something that (sadly) is relatively common in IT security, at least they were able to head it off before it escalated to Sony-esque proportions.

    2. Stephen H
      Posted 12/02/2013 at 10:30 am | Permalink |

      Given reports from the US of how hackers have managed to penetrate government agencies, it seems the only real protection is to avoid attracting hackers’ attention. If they want to break in, they will.

    3. Posted 12/02/2013 at 10:49 am | Permalink |

      It would be interesting to know whether this is a social breach (ie a laptop was stolen that contained the Auskeys), Third party software was hacked (and they obtained the Auskeys that way), or if it is a breach of Auskey itself?




  • Get our weekly newsletter

    All our stories, just one email a week.

    Email address:


    Follow us on social media






    Use your RSS reader to subscribe to our articles feed or to our comments feed.

  • Most Popular Content

  • Enterprise IT stories

    • Legacy health software lands SA Govt in court doctor

      In which the South Australian Government comes up with complex legal arguments as to why it should be able to continue to use a 1980’s software package.

    • Microsoft wants to win you back with Windows 10 windows-10

      The latest version of Microsoft’s Windows operating system will begin rolling out from Wednesday (July 29). And remarkably, Windows 10 will be offered as a free upgrade to those users who already have Windows 7 and 8.1 installed.

    • Qld Govt Depts have no disaster recovery plan brisvegas2

      Two sizable Queensland Government departments have no central disaster recovery plan, the state’s Auditor-General has found, despite the region’s ongoing struggles with extreme weather conditions that have previously knocked out telecommunications and data centre infrastructure.

    • ASD releases Windows 8 hardening guide windows-8-1

      The Australian Signals Directorate appears to have released a guide to hardening Microsoft’s Windows 8 operating system, three years after the software was released for use by corporate customers, and as Microsoft is slated to release its next upgrade, Windows 10.

    • ASG picks up $35m CIMIC IT services deal money

      Perth-headquartered IT services group ASG this week revealed it had picked up a deal worth at least $35 million over five years with CIMIC Group — the massive construction and contracting group previously known as Leighton Holdings.

  • Blog, Policy + Politics - Jul 31, 2015 12:43 - 0 Comments

    Google ploughs $1m into Australian tech education

    More In Policy + Politics


    Blog, Enterprise IT - Jul 31, 2015 14:16 - 1 Comment

    Legacy health software lands SA Govt in court

    More In Enterprise IT


    Industry, News - Jul 28, 2015 12:37 - 0 Comments

    ICAC to investigate NSW TAFE ICT manager

    More In Industry


    Consumer Tech, News - Jul 29, 2015 17:14 - 11 Comments

    Telstra integrates Netflix, Stan, Presto into re-badged Roku box

    More In Consumer Tech