Data breaches upping ATO fraud 'red flags'

There has been a 'spate' of hack-related fraudulent activity identified, the taxation office said.
Written by Asha Barbaschow, Contributor

The Australian Taxation Office (ATO) has a "red flag" feature, which serves up a "ping" whenever an individual or business has been suspected of having fraudulent activity conducted against their name or if their account has been compromised.

Facing Senate Estimates on Tuesday, ATO client engagement second commissioner Jeremy Hirschhorn explained that this ping was effectively a caveat on taxpayers' affairs.

While Hirschhorn said there was no increase in fraudulent activity that could be directly tied to the COVID-19 pandemic, he said his teams have been very focused on fraud this year.

"Obviously there are new mechanisms of potential fraud across all the programs. We have found -- I have previously testified to the level of fraud in the ERS program, which is at about 0.3% of applications on our country, which is a very, very low level of fraud. We have also been looking at JobKeeper and Cashflow Boost and have not found systemic fraud," he said.

See also: ATO wants to verify citizens are alive and physically present for myGovID registrations

"We have found that there have been some individual opportunistic frauds but we have not identified a high level of fraud and part of that was the design feature of the measures which were designed to be available only to those who have a good lodgement and tax history, which made it harder for people to resurrect dormant entities."

On the reports of fraud related to the federal government's early access super scheme, Hirschhorn said the ATO has received a variety of suspicious matter reports from Austrac. But he also said there has been an increase of data breach-related fraud.

"There has also been a spate of -- you know, when an organisation has its payroll data, amongst other data hacked, there have been a few hackings of companies which have meant that we have put more red flags on identity files," he said.

In Australia, the Notifiable Data Breaches (NDB) scheme requires agencies and organisations that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

In its last report, the Office of the Australian Information Commissioner revealed the total number of reported data breaches in Australia for the 2019-20 financial year was 1,050.

For the six months spanning January to June 2020, 518 breaches were notified under the NDB scheme. 124 of those breaches occurred during May, the most reported in any calendar month since the scheme began in February 2018.

Most of these were attributed to human error.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia


Editorial standards