While doing her routine tax work with her accountant, the accountant congratulated Sam on selling her house. Sam was confused by this comment as she had never owned that house.
However, according to records from the Australian Tax Office (ATO), not only was her house sold, but she had also filed her tax return.
She had also filed amendments to previous years’ tax returns, and another is still in the process of being amended.
After examining the details on her accountant’s screen for some time, Sam came to a horrifying realization. The victim’s account had been accessed by an impersonator who fraudulently gained five refunds totalling $25,000 from the Australian Taxation Office.
In the wake of the high-profile data breaches involving Medibank and Optus, she considered the possibility that she might also have been a victim of a significant breach by a major government agency that had gone unreported.
In reality, the situation was much more complex.
In partnering with Sam, ABC Investigations identified a vulnerability in the myGov and ATO systems that cybercriminals are exploiting to defraud taxpayers.
‘Entirely up to me.’
During her career, Sam has worked in various industries, including banking and large commercial enterprises.
A retired professional, she divides her time between a city apartment and a Victorian country cottage in a picturesque country region.
An expert in cyber security would describe the Melbourne woman as a model citizen when it comes to digital hygiene.
ATO and myGov online sessions are restricted to one device, which she has thoroughly scanned for viruses and malware. She never clicks on unsolicited or strange links. She has never given out her passwords, which are complex and unique.
Despite Sam’s meticulous security habits, her accountant revealed that she could only protect herself to a limited extent.
Sam was supposed to receive a code by text message whenever she logged into her ATO account through myGov.
In recent months, no such account authorization request had been received by her.
Sam’s address, bank account numbers, email address and phone number had all been changed.
Sam was a victim of the Optus breach. ABC Investigations determined that the hacker wouldn’t have been able to gain entry into her ATO account even with the information from the Optus breach.
The ATO was the first phone call Sam made. Sam spent around 3 hours in her accountant’s office that day.
Sam’s ATO account had been locked, but the ATO advised that they do not report these cases to the police, it was all up to Sam to do.
The ATO stated that Sam should wait until a case manager contacted her. It was estimated that it would take approximately three weeks for the ATO to begin investigating.
Next it took Sam hours to navigate UBank’s automated telephone system before she was finally instructed to write to the company’s parent company, National Australian Bank (NAB).
Sam was due to receive a large deposit into her savings in the next few days, and the hackers could see her bank account details. She was worried about them getting access to her money.
“It was a stressful time”, she recalled. In addition, we were moving house, selling a property, and settling a property.”
During this period, she would spend countless hours and days reporting the fraud to the police, opening a new bank account, and notifying her super fund that potential fraud was involved.
Down the rabbit hole
As ABC Investigations revealed last month, login credentials for government agencies, the Australian Taxation Office, and Virgin Money were being sold on the dark web for bargain prices.
In response to the article, which revealed that thousands of NDIS recipients were not informed that their private information had been hacked, Minister Bill Shorten’s office and the Bank of Queensland contacted ABC Investigations to clarify that the NDIS, myGov, or Virgin Money had sustained no direct attacks.
Sam was also prompted to contact ABC after reading the report.
Even though various agencies told us that Sam’s accounts were “not compromised” or that they had “robust protections”, we could not ignore the vulnerabilities it revealed.
ABC Investigations contacted the tax agency four weeks after Sam complained to the tax office and received no response.
She was finally contacted by the ATO to explain what it knew about the hacking incident.
Sam was informed that the fraudster had created a bogus myGov account and used her tax file number, date of birth and other personal information which wasn’t specified to her.
Sam’s personal information had been changed by the fraudster, who then separated her ATO account from her legitimate myGov account, preventing her from seeing any refund assessment notices – it also allowed the fraudster to circumvent the two-factor authentication provided by the ATO.
The ATO officer informed Sam that this is not unusual and “there are many fraudulent myGov accounts that access tax information.”.
MyGov accounts may be created by anyone with an email address, according to Services Australia. It is not necessary to provide proof of identity, and the number of accounts that can be opened is not limited.
It was unclear how hackers were able to obtain Sam’s TFN. As far as she was aware, this information had not been taken during the Optus breach.
After several days, Sam continued to press the ATO for information about the hacker. Upon further investigation, she learned that the criminal(s), in fact, needed her TFN to hack her account.
As a result of repeated changes made by the hackers in her ATO profile, her bank account details were changed between refunds. A series of UBank accounts were used to perpetrate the fraud before Sam saw it on November 15.
Sam inquired to see if the refund size, only being $5,000 each, would be the reason that the multiple changes to her personal details were not picked up.
An Australian Taxation Office officer acknowledged that higher amounts would have been detected and informed her that the ATO now has a system to track multiple changes to a bank account.
In her case, it had not been triggered. An ATO official confirmed that the fraud had not been discovered before she notified them.
As part of its investigation, ABC Investigations also contacted Services Australia, the company that manages myGov, as well as UBank about Sam’s case; however, neither was able to provide any information about the case.
UBank has confirmed that the accounts into which the ATO paid Sam’s refunds did not bear her name and were not associated with her TFN.
There is no indication whether those refunds were returned to the ATO, only that it might be difficult to recover them once they have been moved.
According to UBank, it could not provide information regarding how many UBank accounts have been flagged for tax fraud this year.
After analyzing Sam’s genuine myGov account, Services Australia informed ABC Investigations that it had never been hacked and that all fraudulent activity had originated from the fake myGov account.
The statement said that the security measures in place at myGov are “robust” and Sam’s account is “safe and secure”.
In its response, it did not address why myGov allowed users to create bogus accounts but provided an overview of the security measures that had to be met before users could enter other accounts, such as those of the Australian Taxation Office.
Member service accounts cannot be accessed simply by creating a myGov account.
Regarding its detection systems, the ATO declined to answer any questions or provide any additional information on how common this type of fraud is. Specifically, the goal was to minimize the risk of fraud proliferation.
Cybersecurity in secret
Founder of Thinking Cybersecurity and adjunct professor of cryptography at Australian National University, Vanessa Teague, believes that keeping information about cyber security problems secret is harmful.
Ms Teague noted that Australians have a habit of hiding details and blaming it on security concerns.
In the event that the protocol is not sound, then keeping it hidden from the public won’t help anybody because the bad people will figure out how it works, so you are preventing good people from assisting you.
Knowing why things went wrong would allow every organization with sensitive information about people to use each attack as an opportunity to learn instead of making the same errors repeatedly.”
Katherine Mansted, a cybersecurity expert with CyberCX, spoke to ABC last month about how hacking victims were often left in the dark about what had happened.
There is a pressing need for law enforcement and the government to rethink and review their processes regarding victim notification. This review is long overdue.
This hack consisted of several small frauds that took place in plain sight for several weeks without being detected.
It is unlikely that most people will look into their tax accounts until next July, according to Sam.
“It could be happening willy-nilly until July next year if this is happening to a whole lot more people as well.
As taxpayers, we will all be held responsible for the bill, which may amount to millions or even worse.”
While Sam believes the ATO should be more alarmed by her case, the agency has implemented additional security measures on her account.
In response, she contacted her local MP, Mr Shorten, who is also responsible for myGov. He referred her to Clare O’Neill, the minister for cybersecurity.
According to Sam, the office of Ms O’Neill was polite. After listening to her story, they thanked her for sharing it.
There has been no communication from them since then.