ATO staff fired for viewing confidential data

A dozen employees have either been sacked or resigned after internal audits of logs by the Australian Tax Office (ATO) showed employees had been abusing their access privileges.

A dozen employees have either been sacked or resigned after internal audits of logs by the Australian Tax Office (ATO) showed employees had been abusing their access privileges.

According to the ATO, employees were sent on a training program aimed at educating staff how handle taxpayer information after investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006.

Access to personal tax records outside the normal course of business is prohibited under current privacy laws. Staff caught accessing records illegally face heavy fines or jail terms.

However, the ATO claims stamping out unauthorised access is impossible.

"While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing," an ATO spokeswoman told The Australian.

Last year federal Treasurer Peter Costello was unsure whether the actions of these staff meant the tax office had a "cultural problem" in relation to the handling of tax payer information.

Rob Mackinnon, an access management consultant for analyst firm IBRS, told ZDNet Australia that rather than being a cultural problem it was a problem with human nature and affects all large organisations dealing with sensitive information.

Privacy breaches in an organisation like the ATO are inevitable and would likely require internal intelligence to be identified since constant monitoring would be too onerous from a technology point of view, he said.

"[Privacy breaches] will always tend to happen because in some respects, by having stringent privacy guidelines, it's like hiding candy from the kids," said MacKinnon.

Other security problems faced by the ATO related to unauthorised access to tax information by external taxation agents via its Web portal.

The Audit Office found that in 2006, the ATO did "not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the Portals" used by tax agents.

To alleviate some of these problems the ATO deployed a centralised audit logging system using Tier-3's Huntsman security product.

At time of writing, the ATO was unavailable for comment.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All