A lack of security has left Australia's Tax Office and Immigration Department vulnerable to cyber attacks, putting personal data at risk, a national audit has found.
The agencies, which hold national security data and personal information including bank account details,have failed to make crucial IT reforms they promised to adopt by 2016,the Australian National Audit Office report said.
Neither department was "cyber resilient" - able to provide services while deterring attacks - despite collecting, storing and using data that could be used to identify, contact or locate people.
Among these were birth dates, bank account details, driver's licence numbers, tax file numbers and biometric data.
"Not operating in a cyber resilient environment puts entities' data and business processes at risk, with potentially significant consequences for Australian citizens," the ANAO said in the report,tabled by Parliament on Wednesday.
While the Australian Taxation Office and the Department of Immigration and Border Protection were protected from internal breaches and unauthorised leaks, a shortfall in security made both vulnerable to cyber attacks from external sources.
Only the Human Services Department, which the ANAO also assessed, had adopted strategies needed to protect itself from attacks.
The ANAO's findings come four years after the federal government gave agencies a July 2014 deadline to adopt four top IT security strategies,which spy agency the Australian Signals Directorate says prevent 85 per cent of cyber intrusions.
Despite promising in 2014 to implement them by 2016, the ATO had adopted two, and Immigration only one of the strategies, the audit office found.
Only Human Services had implemented one of the strategies, 'whitelisting' computer programs - or listing those that were safe to run.
Immigration allowed more than 1400 users to bypass its whitelisting controls by installing unauthorised applications on their desktop, and areas of the ATO did not whitelist programs.
The report found the ATO and Immigration fell short in adopting other top strategies, updating security for computer programs and operating systems.
A tripling of UNIX/Linux servers in the ATO "complicated" its roll out of security updates, and agencies had failed to rid computers of outdated, unsupported software.
They also failed to take servers offline to apply security updates, and needed to better check ICT contractors were accurately reporting how they met their obligations.
The failures to adopt all four top security measures have repeated themselves across departments, as the ANAO has found only three of 11 agencies it audited since 2014 used the defences.
"Many entities were slow to respond to the government policy requirements," it said.
An Immigration Department spokeswoman said there had been no successful attacks on its ICT systems, and a number of incidents had been prevented from escalating by security controls.
The agency has recently merged with the former Australian Customs and Border Protection Service, integrating its ICT systems.
"The new department operates in a significantly more complex environment," the spokeswoman said.
It was enhancing its cyber resilience to comply with the "top four" security measures, and had improved its detection of security breaches and its response to incidents.
"These measures will enhance the department's protection against cyber attacks from external sources and further improve the department's robust cyber security controls against internal threats."
The ATO said IT security measures audited were only part of its cyber security protection.
"We have a number of supporting functions and practices to protect the data and systems from cyber intrusion and attack.
"These are already implemented to provide the additional layers of protection."
Since the audit, it was working towards "a higher level of full compliance", which it expected to reach this year.
"The community can be confident that our current and future digital services are secure."