ATO suffers minor IT security breach



blog We’re constantly hearing more and more about how “cyber” security is the next big bad, but concrete examples of how Australian Government infrastructure has been broken into are still thin on the ground. One incident to pop up last week has been what appears to be a relatively minor breach of an Australian Taxation Office portal through the logins of a number of tax agents. The Sydney Morning Herald reports (we recommend you click here for the full article):

“Fears have been raised about the security of Australian taxpayers’ information after four tax agents’ account details were illegally used by third parties.”

The SMH report was quite sensationalist in nature (we know, not surprisingly for the newspaper), but it does look like quite a substantial amount of investigation has been carried out into what took place here. Also, note that we may see more on this in future, as the SMH reporter who wrote the story has filed a Freedom of Information request for further information from the ATO. However, the ATO doesn’t feel as though the SMH got everything right, and has issued its own statement on the situation:

“It has been reported today that taxpayer information is at risk after criminals stole the identity of four tax agents. The report suggested that all Australian taxpayers’ information was under threat. This is incorrect. The identities of four tax agents were stolen and used to fraudulently obtain AUSkeys giving access to specialist tax agent online services (tax agent portal).

The ATO has contained the threat and cancelled the AUSkeys. We are working with the affected tax agents to ensure their practices and information is secure. Doing business online has benefits, but it also comes with risks. People looking to commit identity fraud constantly look for ways to profit so it is critical to remain vigilant regarding your personal information and online security. Online fraud can be complex and multilayered. We are investigating the incident and working with relevant law enforcement agencies.”

So where’s the truth here? We suspect it’s somewhere in the middle between these two views. Was this a serious breach, with the taxation files of millions of Australians at risk? Not really. The ATO’s systems look to be a little bet better protected than that. But equally, was this just an incident of no consequence? Again, not really. The intrusion did have the potential to see some sensitive tax information stolen.

In our experience, this kind of outcome is pretty much the norm in the IT security industry. When a break-in initially occurs, it’s panic stations, followed by a gradually calm-down as the realisation hits that nothing that sensitive was accessed. It will be interesting to see if more such security breaches occur over the next few years in the Federal Government.

Image credit: Matt Aiello, royalty free


  1. Not sure how much I can say, but the blunt reality is that the risk to taxpayers was very very small. You’ve pretty much nailed it Renai, it wasnt an overly serious issue, but equally there will naturally be consequences.

    Look at it a different way. The ATO discovered the issue very early on, and acted on it accordingly. So as something that (sadly) is relatively common in IT security, at least they were able to head it off before it escalated to Sony-esque proportions.

  2. Given reports from the US of how hackers have managed to penetrate government agencies, it seems the only real protection is to avoid attracting hackers’ attention. If they want to break in, they will.

  3. It would be interesting to know whether this is a social breach (ie a laptop was stolen that contained the Auskeys), Third party software was hacked (and they obtained the Auskeys that way), or if it is a breach of Auskey itself?

Comments are closed.