Criminals breach Australian tax system
Photo: Andrew Quilty
Fears have been raised about the security of Australian taxpayers' information after four tax agents' account details were illegally used by third parties.
A warning of the breach was sent in a note to tax agents nationwide on February 5 urging them to log-in to the Tax Agent Portal to see if criminals had signed up for their own log-in under the agent's business name.
The note was not posted on the Tax Office website.
With an agent's log-in, a criminal gains access to an agent's existing clients. Some tax agents warned a fraudster could also potentially access every Australian taxpayer's information if they knew four pieces of information about a person. They said a criminal could potentially lodge a fake tax return on behalf of someone else and claim the money themselves, or use the information to steal someone's identity.
The Australian Taxation Office has denied that all Australians' tax information was put at risk however has not disputed the agents' claims.
"The personal identity of a small number of tax agents has been stolen to create unauthorised AUSkeys," the Tax Office told agents. AUSkeys allow access to "the Tax Agent Portal and taxpayer information", it added.
It went on to say it is working with affected agents to assist them in protecting their online security and suggests agents take a number of precautions to be certain their practice's information is secure.
The Tax Office uncovered at least four tax agents who had their personal identity stolen. It did not tell Fairfax Media whether the agents were small or large in size and how many clients each had. It told the Australian Financial Review newspaper that of the four agents, it knew of 20 taxpayers' records being put at risk.
Know more? email@example.com
One Sydney tax agent contacted by Fairfax Media who didn't want to be named said they were alarmed at the breach.
The agent said if a criminal had access to the Tax Agent Portal and four key pieces of information – a person's tax file number, date of birth, name and gender – then they could find out any person's taxation information, including how much they earned over the past three years, how much tax they paid and if they had a HECS debt.
"It's got everything in there," the agent said of the Tax Agent Portal.
"In there are all my client's records pertaining to at least the last three years for personal tax and of course it also has access to the client accounts of companies, superannuation funds, trusts – just about everything.
"It's [also got in there] all the details that are required when you fill out a tax form."
A second agent confirmed this and said a criminal could also change the bank details of a taxpayer to their own.
However, a third agent said while it was possible to access any individual's tax records with the four pieces of information, "it’s highly unlikely to eventuate".
Federal privacy commissioner, Timothy Pilgrim, said the Tax Office had previously informed him of the incident.
The Tax Office told him they had "set out the steps" they had taken to rectify the security issue. He was not investigating "at this stage".
"If any individuals are concerned that their information may have been compromised they should first contact their tax agent or the [Tax Office]. If they are not satisfied with the response, they can then lodge a complaint with our office."
Sydney security expert Chris Gatford, of Hacklabs, said the breach was worrying and that it was easy for a criminal to get access to the four pieces of information required to gain access to taxpayers' records using "social engineering" - tricking a person into handing over personal information.
At 1pm AEDST the Tax Office said it would not be responding to a series of questions Fairfax had for it about the breach. It said it would instead post a statement in the comments section of this story in its own time.
At 1.53pm AEDST it posted a statement below this story saying the contents of this article were "incorrect", but failed to explain exactly what it took issue with. "Taxpayer information is not at risk," the comment said.
"The identities of four tax agents were stolen and used to fraudulently obtain AUSkeys giving access to specialist tax agent online services (tax agent portal). The [Tax Office] has contained the threat and cancelled the AUSkeys. We are working with the affected tax agents to ensure their practices and information is secure."
It said it was "investigating the incident" and working with relevant law enforcement agencies.
"AUSkeys are the secure, unique identifier agents can use to access the Tax Agent Portal. In order to get an AUSkey, people need to pass stringent proof of identity procedures. An AUSkey gives access to a tax agent’s client list, it does not give access to the information of the broader taxpaying community. In this case, the identity of four tax agents was stolen and this information was used to fraudulently obtain AUSkeys."
Despite the Tax Office's comment that only existing agent's client information could be exposed as part of the criminals creating their own log-ins, agents claim this is not the case. As three tax agents Fairfax spoke to said, if you have a person's date of birth, tax file number, gender and name you can access their taxation information.
Fairfax has since found that the Tax Office has posted a version of its comment on its website. A Tax Office spokesman told The Australian newspaper: "[Criminals] certainly haven't been given the keys to the vault."
Further questions have been asked about whether the Tax Office has the technical capability to see who exactly has accessed a taxpayer's records and how many incidents of malicious activity it has detected.
A spokesman for assistant treasurer David Bradbury had no comment.
This reporter is on Facebook: /bengrubb