Fraud Enabled by MyGov ‘Security Gap’ Costs Australian Taxpayers $500 Million

Information on this page was reviewed by a specialist defence lawyer before being published. Click to read more.

The Federal Government’s PR department has gone into overdrive this week, boasting about how it is drafting National Digital Identification legislation which it claims will safely and securely use the personal data of millions of Australians to streamline access to services.

It is a curious boast given the government’s appalling track record of protecting such information, from wholesale breaches of Census data to the My Health Record hacks and infiltration of the Australian Driver Licence database, and of course the systematic misuse of metadata accessed through its compulsory metadata retention scheme.

MyGov ‘security gap’ costs taxpayer half a billion dollars dollars

In its latest failure to keep private data safe and secure, the government has this week had to acknowledge this week that what it has called a ‘security gap’ in its myGov scheme has enabled nefarious individuals to make fraudulent claims in the sum of more than half a billion dollars in the past two years.

Essentially, these people have been gaining unauthorised access to data held by the Australian Taxation Office (AT) via the myGov hub, which connects users to a number of Commonwealth services including the ATO, Medicare, and Services Australia.

They then create false myGov accounts and link them to the tax files of genuine Australian taxpayers, enabling them to commit fraud offences netting hundreds of millions of taxpayer dollars.

According to figures published by the ABC, in the financial year 2021-22, more than $237 million was claimed via false Business Activity Statement (BAS) and tax refund claims. The fraud was perpetrated across the files of more than 7,500 taxpayers.Last financial year the figure extended to $320 million, involving 8,100 taxpayer accounts.

It’s not only the extent of the fraud that is staggering, but the fact that it took two years to uncover.

Data obtained from other cyber breaches

And how were hackers able to exploit the system? Through stolen credentials from other high profile security breaches including Woolworths, Medibank and Optus.

At the time of those cyber attacks, it became abundantly clear to Australians whose information was stolen, that they had very little recourse under our country’s ‘very weak’ cybersecurity laws.

Yes, there are hefty fines – but you can fine a big corporation as much as you like for having weak cyber security – for most of them it is small change, and will only result in a temporary share price drop and a dent in their reputation – and presently very little can actually be done for ordinary Australians whose identity has been stolen and is being used elsewhere to commit crimes.

The ATO’s response to the crisis has been to encourage taxpayers to practice good “cyber hygiene” and “proactively log in and look for anything … suspicious, the same way they would monitor their bank accounts.”

These phrases sound eerily familiar.

Similarly, when Optus, Medibank and Woolworths had their data hacked and leaked, their advice to affected customers was just as vague.

We’re expected to hand over this data – sensitive and private identifying information – to access products and services, and yet these companies, despite their massive annual profits, expect each of us to take the time to be ‘vigilant’.

Not only do many of us not actually know what kind of ‘suspicious activity’ we’re looking for, but it is simply not possible to be completely one-hundred-percent-vigilant across all the companies and platforms we are constantly interacting with online, all of the time.

Companies and organisations need to take much more responsibility for the data they demand, and hold, and for preventing breaches.

When those cyber security breaches occurred at the end of last year, the Federal Government responded with platitudes along the lines of strengthening laws.

But it would also appear that, meanwhile, it has also been deciding  to again try a national ID.

The idea is not new – it has bandied about by other governments, even John Howard proposed a similar idea.

What they have failed to consider though, is whether or not Australians even want one.

Australia’s appalling track record for technology schemes

And the government will now try to make us all feel pretty enthusiastic about this National ID scheme,  but can we forget that Australia does not have a particularly successful track record of implementing national technology.

Does anyone remember the 2016 Census?

What about the NBN that is still way behind schedule? Which was recently criticised by experts as being “not competitive” and  “obsolete technology”, despite costing taxpayers billions.

What about the My Heath Record failures? The Covid Safe App?

On the whole, dismal failures, all of them. A complete waste of taxpayer money.

Broken trust

But even without this less than glossy track record, one would think that the idea of a National ID database would be pretty hard to sell to many of us, particularly right now,

Not just with the ATO scam making headlines and other high profile data breaches still in recent memory, and because the Morrison Government introduced a range of laws which allow federal police and other authorities to ‘check up’ on us via government held data …  but mostly because the disgraceful Robdebt legacy is still very fresh.

The Royal Commission report is damning testimony to the fact that politicians can – and sometimes do – engage in misconduct and abuse their power.

Further, as a nation, we have a long history of not holding them accountable when they do so. Perhaps that will soon change.

But in the meantime, putting aside the billions Robodebt has cost taxpayers in various inquiries and compensation. And the endless blame-shifting that’s occurred over time, we must not forget that people’s lives were irrevocably changed and in some cases ruined.

Many people died because those in positions of responsibility did not take due care – they kept running a flawed government system that was fraught with problems, despite knowing it to be so.

Sure, now we have different leadership – Anthony Albanese is the PM – but that doesn’t change the fact that trust has been very badly broken.

The aftermath of Robodebt is an important opportunity for Australians, to take a moment to seriously consider how we view, anc choose those individuals we elect (and pay the salaries of) as well as just how much confidence we really have in them.

Receive all of our articles weekly


Sonia Hickey

Sonia Hickey is a freelance writer, magazine journalist, and owner of 'Woman with Words'. She has a strong interest in social justice and is a member of the Sydney Criminal Lawyers® content team. Sonia is the winner of the Mondaq Thought Leadership Awards, Spring 2022.

Your Opinion Matters