JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Opposition urges government to take security of citizens' data seriously

Date

Ben Grubb

Zoom in on this story. Explore all there is to know.

Video settings

Please Log in to update your video settings

Video will begin in 5 seconds.

Video settings

Please Log in to update your video settings

Government website security not up to scratch

Private records of doctor visits, prescription drugs, childcare and welfare payments are at the mercy of cyber criminals because of flimsy IT security.

PT1M37S 620 349

The opposition has called on the Abbott government to take the security of people's private e-health, Medicare, child support and other government records seriously after it was revealed flimsy security was used to protect a critical government website.

Opposition human services spokesman Doug Cameron said on Monday night that Fairfax Media's report on the security of the myGov website was concerning.

If your family medical history is disclosed, you can never get that back – there is no refund 

Security expert Troy Hunt

He called on Human Services Minister Marise Payne to take the matter of Australians' security seriously.

Concern: Senator Doug Cameron has called on the government to take security seriously.

Concern: Senator Doug Cameron has called on the government to take security seriously. Photo: Alex Ellinghausen

"All Australians need to have confidence that personal information placed on and accessed through the myGov website is safe from hacking," Senator Cameron said.

He requested Minister Payne provide him with a detailed briefing and reassurance that Australians' personal information was protected by "robust and effective security systems".

He also asked what actions the government was taking to secure citizens' personal information on the myGov website.

Security: E-health records, including prescription drugs, are also accessible using my.gov.au.

Security: E-health records, including prescription drugs, are also accessible using my.gov.au.

"The Abbott government must adopt best practice, technically secure systems and protocols for myGov security," Senator Cameron said.

The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme government accounts. Linked accounts provide information including name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.

The technology behind the myGov website was originally developed by the Department of Finance under Labor when it was known as an australia.gov.au account. Management of it was transferred to the Department of Human Services to allow access to Medicare, Centrelink and other services once it was migrated to the my.gov.au domain.

Records: Some of the information accessible via my.gov.au when linking it to Medicare.

Records: Some of the information accessible via my.gov.au when linking it to Medicare.

Now the Tax Office also wants to join the site and plans to make it a compulsory point of access for lodging electronic tax returns from July.

IT security experts have warned it provides insufficient security controls against common hacking attacks, including social engineering, where hackers trick users into giving them their credentials.

Department takes security "extremely seriously"

Fears: Australian security consultant Troy Hunt says the myGov site uses "insufficient" and "irresponsible" security controls.

Fears: Australian security consultant Troy Hunt says the myGov site uses "insufficient" and "irresponsible" security controls.

A spokesman for Minister Payne declined to comment on Senator Cameron's concerns, referring Fairfax Media to her department.

The Department of Human Services said it took the security of its digital services "extremely seriously".

"myGov users can be confident that their personal information and records are in very safe hands," the department said.

It said it had completed the "necessary threat and risk assessments" of the myGov service consistent with the Australian government’s security and privacy requirements, and added the myGov service was "subject to privacy impact assessments and to regular external audits, including by the Australian Privacy Commissioner".

The department also said it routinely subjected myGov to independent security testing, but didn't name the testers. 

Level of security "similar to banks"

The department compared the security controls used to protect myGov to the security of online banking systems.

"To access a myGov account a user must enter their user name, their password and answer a secret question," it said. "This level of security to access an online account is similar to that used by most banks."

Sydney software architect and IT security consultant Troy Hunt said the bank analogy was disingenuous.

"[It] makes me wonder if they really appreciate the nature of the information they’re tasked with protecting," Mr Hunt said.

"If your bank account is compromised, you lose an asset that is refundable and, indeed, the banks are very good at covering you when fraud occurs," he said.

"If your family medical history is disclosed, you can never get that back – there is no refund."

Mr Hunt – who has previously said the security controls protecting the myGov website are "insufficient" and "irresponsible" – hopes the government will enable "two-factor authentication" for myGov, or at least allow it as an option. This would let users access the site via a token, or code, sent to a mobile phone, tablet or a personal physical device issued by the government. Two-factor authentication is an option for Google, Facebook and even Twitter accounts.

"The heart of the issue remains that the single factor of authentication – information that is known – is vulnerable to numerous attacks ranging from the use of previously disclosed data [from] other breaches, to publicly observable facts, to good old social engineering," Mr Hunt said.

He said the purpose of two-factor authentication was to ensure the single point of weakness – that is known information – cannot be leveraged in a "garden variety" attack.

"Why the government feels that the class of data it protects is not in the same league as the data protected by two-factor authentication in other broadly used systems is still not clear," Mr Hunt said.

Know more? bgrubb@fairfaxmedia.com.au

Follow IT Pro on Twitter

4 comments so far

  • This is getting a bit silly. MyGov issues a randomly generated user name that consists of letters and numbers - which, yes, you probably need to write down as it is difficult to remember - as well as a password and a secret question. When signing up, you have to answer several secret questions, and each time you access the site one of those will be randomly asked.

    It is not perfect by any means, but it is usable and as secure as internet banking. Health information is of course extremely private, but hackers would find it much easier to break into a doctor's PC or to physically break into a doctor's office. Security consultants will always bang on about the potential for hacks because that is what they are paid to do. With all of these things, it is a matter of balancing security with convenience. An option of 2FA is fine but constant scare-mongering is a pain.

    Commenter
    Toshiro Mifune
    Date and time
    April 29, 2014, 2:20PM
    • "The opposition has called on the Abbott government to take the security of people's private e-health, Medicare, child support and other government records seriously "

      Haven't the ALP been responsible for the security of government web sites for the last 6 years and for setting many of them up???

      What hypocrisy of Cameron and the other ALP clowns trying to cover another of their failings.

      Commenter
      Andie
      Date and time
      April 29, 2014, 5:56PM
      • Our recent findings have shown that hospitals, care providers and medical insurers experience twice as many internal security breaches in comparison to other sectors. Considering the sensitive nature of patient data, this suggests that there is significant reason for concern. As we are seeing more and more patient data being stored digitally, it’s important that the appropriate steps are being taken to ensure that that data is secure from both malicious attack and accidental breaches. The Insider Threat Security Manifesto from IS Decisions helps understand what is being doing and how to mitigate these very risks.

        Commenter
        ChrisBunn
        Date and time
        April 29, 2014, 8:00PM
        • How many times are we going to get the same story? Yesterday it was http://www.smh.com.au/it-pro/government-it/australians-private-government-details-at-mercy-of-hackers-say-it-security-experts-20140428-zqzkg.html

          There is undoubtedly a danger that the data held by MyGov could be compromised. The biggest danger is from hackers or employees not from careless security of a password. Having access to one password will give you access to one set of records. The injection of code to allow for wider access is something the system should be designed to defeat.

          Any word of a break in at the MyGov web site and data being compromised?

          Just for the record I wont use e-health because of security concerns.

          Commenter
          Bob.H
          Location
          Central Coast NSW
          Date and time
          April 30, 2014, 9:56AM

          Make a comment

          You are logged in as [Logout]

          All information entered below may be published.

          Error: Please enter your screen name.

          Error: Your Screen Name must be less than 255 characters.

          Error: Your Location must be less than 255 characters.

          Error: Please enter your comment.

          Error: Your Message must be less than 300 words.

          Post to

          You need to have read and accepted the Conditions of Use.

          Thank you

          Your comment has been submitted for approval.

          Comments are moderated and are generally published if they are on-topic and not abusive.

          Advertisement
          Featured advertisers
          Advertisement