The Government must inform taxpayers, BAS and Tax Agents, Bookkeepers and Accountants about this insidious hack
Australia has had a rollercoaster couple of months enduring the hard reality check of how much of our personal data and ID information is being held by companies. While the Optus and Medibank data hacks have received numerous headlines and strong government responses, there has been near silence over the hacking scheme of myGov and the ATO.
In September, the ABC released a story reporting that Accountants had been reporting a spike in hackers lodging false tax returns and superannuation claims. You can read that story here. Unfortunately, this wasn't news to me as I had already been personally affected by such a breach involving my ex-husband.
John* had been hacked, and it has been devastating. It started with a silent takeover of his myGov account, redirecting the verification codes to another phone number and changing the email address, all without his knowledge. The next step in the myGov/ATO hacker handbook is submitting adjusted returns for past year's tax returns to gain refunds. Changing bank accounts for the refunds is a way the hackers have been keeping ahead of the ATO and hacked victims. The perpetrators then submitted requests to the ATO to transfer John's superannuation to another fund. While myGov and the ATO are where it started, the hackers then went on to direct debit his bank account as well.
To this day, John still does not know how this happened. What is important to note here is that the hackers have gained full access to the information on the tax returns previously lodged, affecting not only the hacked victim. Here is where this hack rolled over into my life – as John's former wife, the hackers had access to my tax file number and bank account details from our past joint returns. I have had to lock down my ATO account and add security to my online banking. The hack is like a virus creating a pipeline of further potential victims.
myGov and ATO details are so sensitive and powerful that the hackers could also affect withdrawals from John's superannuation by initiating a transfer to another fund through the ATO. Once he had those locked down, and even though he had suspended his phone and online banking, the hackers still managed to get over $26,000 from his bank accounts. Here the banks come into play. While their front door may have various security measures, the hackers know the back door is wide open. The first $10,000 was a direct debit for a gym membership in John's case. The only contact information from the company submitting the direct debit form was a mobile phone number. The hackers then opened up an American Express account in John's name. They managed to withdraw a further $16,000 from a gated online savings account. No questions asked, no notification to John.
It is not hard to imagine just how hard this major violation affects an individual, nor how hard it is for someone to recover and lock down their accounts to stop further harm. John is not alone. On 18th December, the ABC posted another story on the myGov and ATO hack, the story of Sue, which mirrors John's story. To date, it seems that it is mainly the ABC which is covering this horrific breach.
There seems to be an unusual silence regarding the myGov and ATO data breaches, potentially leaving many Australians unaware that they are victims. Their accountants picked up John, Sharon and Sue's breaches. They received no other notifications.
John's tax agent has been dogged and tenacious in searching for answers. They uncovered the hackers' phone call to change the myGov link. The hacker supposedly supplied John's driver's license number and the address of their investment property to change the link. A strange combination of personal information to be able to supply.
The weakest links in the ATO chain
So, where are the weak links that these hackers may be exploiting? While silence from the ATO and Government seems to be the weakest link, outsourcing potentially holds others. You may be unaware that many accountants use "back office" support. This overseas-based support enables Accountants to complete the work of larger client bases than their in-person staff can cope with at a much cheaper rate. The "back office" prepare tax returns, amongst other tax-related services.
While vetting these support services is vigorous, they have access to an accountant's client's tax information, including their tax file number, investment properties, bank accounts and other identifying information. I make no accusations here as I know accountants generally apply extreme due diligence with any outsourcing and their client's data.
Another weak link in the ATO and myGov chain is the outsourced call centres they use. As recently as April 2021, the ATO changed call centre contractors. When you call the ATO, you are speaking to the personnel of a contracted company. These call centre personnel can access ATO and myGov information. After asking a series of identifying questions, they can also issue new myGov links upon request. Again, I make no accusations, as it makes sense that the ATO would have applied the most thorough due diligence in ensuring this data was secure.
The critical areas that the hackers are exploiting that I am aware of are:
· Changing the myGov link and contact details
· Refiling tax returns for refunds
· Transferring superannuation funds
· Direct debiting bank accounts
· Refiling BAS statements for refunds
· The First Home Super Scheme
How? For how long and by whom?
So, where are the major announcements on how the Government and its agencies are trying to stop this scheme? Where is the warning to the public, accountants and tax agents to vigilantly check what is happening behind the scenes of myGov and ATO accounts? It seems that the ABC is the only member of the mainstream media to date that is trying to alert the public. In November, their investigation uncovered the details of myGov accounts being traded online for as little as $1 USD.
While the ATO has now applied extra security measures to changing bank accounts for refunds, it has largely left the victims of this scheme devastated. John told me that even when he took all possible steps to lock down his accounts, the hackers still managed to access his bank account through direct debits. He remains convinced that he will have to be ever vigilant as the hackers may just put his details on a waiting list to try again in six months, a year or longer.
I have heard frustration and despair from the hacking victims so far, as none of the organisations involved seems to want to take any responsibility. The blame-shifting has been directed at accountants and the victims themselves. Victims of what seems to be a highly sophisticated scheme that involves a number of key identity data points from within the myGov and ATO systems.
So what can individuals do to limit their vulnerability?
Luckily in Australia, we have a fantastic team of tech journalists dedicated to informing the public about breaches and what people can do to take some control. Here are a few ways in which you can check or limit your vulnerability:
A simple start is to check whether your email or phone number is in a data breach https://haveibeenpwned.com/ is where you can start;
The Australian Signals Directorate provides tools, advice and information on what to do if you have been hacked ;
Check your ATO account on myGov for any suspicious activity. The ATO can lock down your account if you think your tax and bank information may have been hacked. The ATO's Client Identity Support Centre will run through several questions with you to assess your myGov and ATO vulnerability. If they deem your account vulnerable, it is locked down, and you are given a phone number to call when you need to access it. If you need to lodge a return or do something else with your ATO account, the Centre will open up your account for 24 hours. Alternatively, they can verify your Tax Agent, BAS Agent or Accountant and give them access.
If you have a Tax Agent, Accountant, BAS Agent or Bookkeeper, notify them and ask them to help you monitor the activity on your ATO and bank accounts.
Add voice identification to your phone banking. This security measure is impossible to replicate. If you have been hacked, then it is best to disable online and phone banking until you are 100% sure you have secured your accounts.
If you have been caught by this myGov/ATO scheme, please notify the ATO, your bank/s, the Office of the Australian Information Commissioner and your local MP to push the Government to take transparent and firm action.
For more information, you can visit these articles and sites:
https://www.abc.net.au/news/2022-12-18/ato-tax-hacked-via-myGov-services-australia-exploit/101781656
*name changed to protect privacy
Join our mailing list for more updates
Angelina is the most dependable recovery agent I've ever experienced. I contacted ANGELINA on Instagram @ Angelina_Christopher1738, a competent hacker hired at META, After reading positive testimonials. Her promise of helping me recover my account came true in a space of 24 hours. If you need rapid and effective assistance in regaining access to your account, I highly recommend contacting her. You can also contact her via email: AngelinaChristopher1738@gmail.com.