The opposition has called on the Abbott government to take the security of people's private e-health, Medicare, child support and other government records seriously after it was revealed flimsy security was used to protect a critical government website.
Opposition human services spokesman Doug Cameron said on Monday night that Fairfax Media's report on the security of the myGov website was concerning.
Government website security not up to scratch
Private records of doctor visits, prescription drugs, childcare and welfare payments are at the mercy of cyber criminals because of flimsy IT security.
He called on Human Services Minister Marise Payne to take the matter of Australians' security seriously.
"All Australians need to have confidence that personal information placed on and accessed through the myGov website is safe from hacking," Senator Cameron said.
He requested Minister Payne provide him with a detailed briefing and reassurance that Australians' personal information was protected by "robust and effective security systems".
He also asked what actions the government was taking to secure citizens' personal information on the myGov website.
"The Abbott government must adopt best practice, technically secure systems and protocols for myGov security," Senator Cameron said.
The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme government accounts. Linked accounts provide information including name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.
The technology behind the myGov website was originally developed by the Department of Finance under Labor when it was known as an australia.gov.au account. Management of it was transferred to the Department of Human Services to allow access to Medicare, Centrelink and other services once it was migrated to the my.gov.au domain.
Now the Tax Office also wants to join the site and plans to make it a compulsory point of access for lodging electronic tax returns from July.
Department takes security "extremely seriously"
If your family medical history is disclosed, you can never get that back – there is no refundSecurity expert Troy Hunt
A spokesman for Minister Payne declined to comment on Senator Cameron's concerns, referring Fairfax Media to her department.
The Department of Human Services said it took the security of its digital services "extremely seriously".
"myGov users can be confident that their personal information and records are in very safe hands," the department said.
It said it had completed the "necessary threat and risk assessments" of the myGov service consistent with the Australian government’s security and privacy requirements, and added the myGov service was "subject to privacy impact assessments and to regular external audits, including by the Australian Privacy Commissioner".
The department also said it routinely subjected myGov to independent security testing, but didn't name the testers.
Level of security "similar to banks"
The department compared the security controls used to protect myGov to the security of online banking systems.
"To access a myGov account a user must enter their user name, their password and answer a secret question," it said. "This level of security to access an online account is similar to that used by most banks."
Sydney software architect and IT security consultant Troy Hunt said the bank analogy was disingenuous.
"[It] makes me wonder if they really appreciate the nature of the information they’re tasked with protecting," Mr Hunt said.
"If your bank account is compromised, you lose an asset that is refundable and, indeed, the banks are very good at covering you when fraud occurs," he said.
"If your family medical history is disclosed, you can never get that back – there is no refund."
Mr Hunt – who has previously said the security controls protecting the myGov website are "insufficient" and "irresponsible" – hopes the government will enable "two-factor authentication" for myGov, or at least allow it as an option. This would let users access the site via a token, or code, sent to a mobile phone, tablet or a personal physical device issued by the government. Two-factor authentication is an option for Google, Facebook and even Twitter accounts.
"The heart of the issue remains that the single factor of authentication – information that is known – is vulnerable to numerous attacks ranging from the use of previously disclosed data [from] other breaches, to publicly observable facts, to good old social engineering," Mr Hunt said.
He said the purpose of two-factor authentication was to ensure the single point of weakness – that is known information – cannot be leveraged in a "garden variety" attack.
"Why the government feels that the class of data it protects is not in the same league as the data protected by two-factor authentication in other broadly used systems is still not clear," Mr Hunt said.
Know more? firstname.lastname@example.org