Australian tax staff fired for security breach

Employees at the Australian Tax Office have lost their jobs after they were found to have abused their access privileges

A dozen employees have either been sacked or resigned after internal audits of logs by the Australian Tax Office showed employees had been abusing their access privileges.

According to the ATO, employees were sent on a training program aimed at educating staff how to handle taxpayer information after investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006.

Access to personal tax records outside the normal course of business is prohibited under current privacy laws. Staff caught accessing records illegally face heavy fines or jail terms.

However, the ATO claims stamping out unauthorised access is impossible.

"While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing," an ATO spokeswoman told The Australian.

Last year Australia's federal treasurer Peter Costello was unsure whether the actions of these staff meant the tax office had a "cultural problem" in relation to the handling of tax-payer information.

Rob Mackinnon, an access management consultant for analyst firm IBRS, told ZDNet Australia that rather than being a cultural problem, it was a problem with human nature, and affects all large organisations dealing with sensitive information.

Privacy breaches in an organisation like the ATO are inevitable and are likely to require internal intelligence to be identified, since constant monitoring would be too onerous from a technology point of view, said Mackinnon. "[Privacy breaches] will always tend to happen because in some respects, by having stringent privacy guidelines, it's like hiding candy from the kids."

Other security problems faced by the ATO related to unauthorised access to tax information by external taxation agents via its web portal.

The Audit Office found that in 2006, the ATO did "not have the capability for the timely production of a clear and meaningful end-to-end view of a user's actions within the portals" used by tax agents.

To alleviate some of these problems the ATO deployed a centralised audit logging system using Tier-3's Huntsman security product.

At the time of writing, the ATO was unavailable for comment.