Gold star for the ATO

Gold star for the ATO

Summary: If Australia is going to take information security seriously, we need more people like the ATO's CIO, Bill Gibson.


If Australia is going to take information security seriously, we need more people like the ATO's CIO, Bill Gibson.

It's no secret that people don't like discussing their business's security woes — I've been knocked back so many times after asking to discuss security it almost feels silly asking the question.

So when I first called the ATO a few months back, after learning that PriceWaterhouseCoopers was conducting a review of the ATO's security practices, I expected my interview request to be declined. After all, the ATO is an AU$700 million a year IT shop which contains some of Australia's most sensitive information.

So to say I was shocked a few days ago, after hearing from the ATO that Gibson was ready to speak about the security review, is an understatement.

This is the problem with security in Australia and why we could benefit from data breach disclosure laws. As I said in my blog last week, the information we do have access to is mostly trite. The result is that we are limited in the ways we can think and discuss security. For consumers, it makes it almost impossible to assess the state of security in the country and the risks they face.

Anyway, after my initial excitement at the prospect of talking security with Gibson, I began to have doubts. They must have got a gold star in the review, I thought.

Which is why, when I secured a copy of the 100-page review yesterday, I was again shocked. The review found a security-conscious culture at the ATO — as you would hope — but also found some staff didn't know how to use approved file transfer channels, and serious problems when it came to the accountability of organisations it shares taxpayer information with.

Of course, the ATO hasn't experienced a HMRC-style data breach, so the review doesn't cut that deep. Even so, Gibson admitted a briefcase containing taxpayer information had been stolen, a disc lost and porn being e-mailed by staff.

The review also discovered interesting human responses to security measures. Staff at government agencies must classify outbound e-mails according to their level of confidentiality, except some staff who were "strategically" labelling them to either restrict access or bypass restrictions.

The most interesting aspect of the review, however, is that the ATO cannot be alone in the security challenges it faces. Nearly every person — vendor and end-user — I have spoken with is concerned about data leakage. And with the ATO's 22,000 staff, I can imagine some difficulties getting security right across the whole organisation. Yet as far as I can tell, no organisation, private or public, has opened itself in this way.

The ATO's security review is one of the most useful documents I have seen in my time at this publication, so it and the ATO, get a gold star.

Topics: Security, Government, Government AU, Reviews

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Medicare Australia and Pharmacy IT Data Security

    This article raises a number of very good points.
    Security of IT systems and the personal data contained in their databases is of paramount importance to most Australians. But, we are not supported by the comfortable burghers in Canberra when we try to resolve security flaws.
    Medicare Australia has installed a system for checking and approving the dispensing of prescription drugs in community pharmacies around Australia.
    The provision of the necessary software to community pharmacies was outsourced to a limited number of Dispensary Systems Software Providers.
    It is interesting that at least one of these providers instruct pharmacists to "turn off" all firewall systems on their network so that the software will function correctly. The companies also instruct the pharmacists to "share the root directory of the C drive" and set all dispensary users on the network to have administrator privileges. They have also instructed pharmacists to turn off standard Internet Security products such as Trend Micro and AVG, because the software will not work correctly while these programs are running.
    Standard privacy protection methods strongly recommended by Microsoft are being ignored. Indeed. security measures that we would employ in are own homes is of a higher standard than that employed for sensitive personal details, medical and financial information stored at the local pharmacy.
    As a consumer, I feel we are being seriously let down by Medicare Australia.
    It is time bureaucrats in Canberra took IT systems security seriously. In my opinion, it is not acceptable for Government to say that their systems are secure if their major business partners have little or no security.
  • Security Clearance for Health Data

    As a son of a pharmacist and an IT worker with the ATO, I too was surprised at the access granted to these dispensary software providers.
    As an ATO employee, I was vetted by a security agency who now know what colour underwear I wore on the 24th of March eight years ago, and have granted me a "Highly Protected" security rating. This means if access to taxpayer's information is required by my job, I am allowed to access it. However it is not a requirement of my job and other systems exist that prevent access, as it should be.
    So who are the people who have the power to remote into these pharmacists' sytems and view, copy or even amend patient information? What security checks have they undergone? and what colour underwear were they wearing on the 24th of March eight years ago?
  • Medicare Data Remote Access

    Access to probably half of the pharmacy computers in Australia is available via!?!!!!