The private records of millions of Australians – including their doctor visits, prescription drugs, childcare and welfare payments – are at the mercy of cyber criminals because of flimsy IT security around a critical federal government website, IT security experts warn.
And they say the risk will increase from the middle of the year, when the government will make it compulsory for Australians to use the my.gov.au website to lodge their electronic tax returns, potentially also exposing their financial and banking records to hackers.
I expect two-factor authentication for information that is much less valuable.Troy Hunt, security expert
The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and NDIS government accounts. If users link their different accounts, information accessible includes their name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.
Some of the information accessible via my.gov.au when linking it to Medicare.
But Sydney software architect and IT security consultant Troy Hunt said the controls used to protect the site were "insufficient" and "irresponsible" and considerably weaker than many other large websites such as Google, Twitter and note-taking app Evernote.
He called on the government to introduce "two-factor authentication" to better protect the sensitive information. The process is commonly used by banks and other sites, requiring users to put in a token, or code, sent to their mobile phone before they are allowed access to their account.
"I'm surprised and concerned that the security controls protecting my medical [and tax] records are less than those protecting my recipes stored in Evernote," Mr Hunt said. "I think given the class of information they're protecting I'd call it irresponsible simply because I expect two-factor authentication for information that is much less valuable."
E-health records, including prescription drugs, are also accesible using my.gov.au.
Ty Miller, director of Sydney IT security firm Threat Intelligence, is concerned that the password requirements of myGov are "weak". The site only requires passwords to be seven characters long and include at least one number, meaning people would not be stopped from using the highly insecure "password1" and similar common words.
Fairfax Media has confirmed the Tax Office will announce next month that taxpayers must sign up to myGov to complete their electronic tax returns. More than a million people lodged their tax this way last year.
Taxpayers Australia spokesman Mark Chapman said he supported the move to myGov in principle but was worried about the lack of reassurance that taxpayers' data would be safe.
My.gov.au also allows access to Australians' Medicare claim history.
"We need reassurance from the myGov [software] developers that taxpayers' information will be fully secure and in particular we are very concerned about the username facility, which seems to make it too easy for third parties to find out your myGov identity by stealing the written record of your username, which all taxpayers will need to keep," he said.
Access to the portal requires just a user name, password and one security question to be answered. The user name is randomly generated, but Mr Hunt says this could be easily uncovered by criminals if they gained access to users' email. If weak secret questions were used, hackers could easily access accounts by guessing answers, Mr Hunt warned. This happened in 2008 when US politician Sarah Palin had her email hacked after her security questions – such as which high school she attended – were deduced.
The Department of Human Services, which runs myGov, said it was confident all users' personal information and records were "in very safe hands". "We closely monitor the use of myGov, to ensure that the security of the system is maintained. As technology evolves the department will continue to ensure the service meets community security expectations," said its general manager, Hank Jongen.
Centrelink payments are also made available via my.gov.au.
The Tax Office declined to comment on security beyond confirming that it would be joining the myGov portal "subject to the completion of testing and associated work".
Steven Roddis, of NSW, asked the Department of Human Services on March 13 for a copy of its myGov Privacy Impact Assessment using freedom of information laws and the website Right to Know. Such an assessment would contain known impacts and risks of impacts to the myGov website.
The department has asked for $343.45 before considering whether to release an estimated five pages.
Child immunisation records are accessible too.
Mr Roddis has requested the documents be released in the public interest at no charge.
A decision on whether to waive charges will be made by May 12.
Know more? firstname.lastname@example.org