An investigation into Services Australia’s response to myGov fraud arising from unauthorised linking to member service accounts
Services Australia taken to task over myGov security
Security holes found in myGov fraud protections
Investigation finds staff did not ask required security questions.
Services Australia has agreed to improve the security of Australia’s social services platform myGov after an investigation by the Commonwealth Ombudsman found its security controls were “not adequate” to protect users from fraud.
The Ombudsman’s report, released on Tuesday, found myGov had “limited” security protocols to protect against fraudsters linking the service accounts of victims to fake myGov accounts, which could then be used to steal funds such as tax refunds or Medicare benefits.
The investigation found a key security issue was different standards of proof needed to link a myGov account to services such as Medicare, the Australian Taxation Office (ATO) and Centrelink.
It also found there were “no additional security checks to ensure high-risk transactions are authorised by the genuine customer” and recommended better use of multi-factor authentication for requests such as changing an address or bank account details.
The legislation which Services Australia works under was also found to have the potential to limit its ability to co-ordinate across government services when helping customers who had reported fraud or data breaches.
Services Australia accepted all four recommendations made by the Ombudsman, and said it was “committed to protecting people from identity theft and scammers”.
The agency said it was dealing with “more than 300 scams per week impersonating myGov” and had seen “coordinated fraud activity operating in an opportunistic and systematic way" to target government services.
Services Australia noted a rise in data breaches and scams across the economy in recent years, and said “the cyber threat landscape has deteriorated substantially since myGov was first designed and implemented in 2013”.
Services Australia General Manager Hank Jongen told Information Age that the agency understood it could be “a stressful experience” when scammers compromised a person’s myGov account or its linked services.
“Maintaining the security of myGov and the protection of people’s personal information remains a top priority, and we’re committed to ongoing improvement,” he said..
Jongen added the Ombudsmen’s investigation provided “helpful recommendations” but also showed Services Australia was “on the right path”.
“Work is already underway to address the identified issues, as well as other security improvements to ensure myGov remains trusted, safe and secure,” he said, pointing to the example of passkeys — a more secure alternative to passwords — which were added to myGov in July.
The office of Social Services Minister Bill Shorten declined to comment on the Ombudsman’s report.
Staff ‘did not ask’ security questions
The Ombudsman said fraudsters had used stolen identity information to meet myGov’s Proof of Record Ownership (PORO) requirements, and then used this access to obtain more information and use an individual’s other linked services.
In one example the Ombudsman said a victim complained after their Centrelink account was linked to a different myGov account and then used to make a fraudulent claim.
“Our investigation found that the second breach occurred because claims staff did not ask all the required security questions of the fraudster,” the Ombudsman’s office said.
“During the phone call the fraudster was able to change the address, bank account details for the account and lodge a disaster recovery payment claim.
“We found that the customer's Medicare record was also breached via a phone call a few days after the Centrelink breach.
“Again, the fraudster changed their address and requested a new Medicare card.
“The customer told us the fraudsters then used their Medicare details to access his ATO record, submit fraudulent tax returns and change the bank account details recorded on their ATO record to intercept the resulting refunds.”
The Commonwealth Ombudsman says the senstitive data held by myGov needs to be protected. Photo: Tom Williams / Information Age
Commonwealth Ombudsman Iain Anderson said the security of myGov was of the highest importance.
“Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential,” he said.
“People have told us about the stress and anxiety they experienced when their personal information was stolen, and fraud committed in their name.
“In these circumstances, it is particularly important that Services Australia provide accessible, consistent and clear information to help people.”
Services Australia promises changes
The Ombudsman’s investigation made four recommendations and two suggestions for myGov — all of which were accepted by Services Australia in late July.
The agency said it would review its processes for confirming a user’s proof of record ownership “across the myGov ecosystem” by the end of 2024, before implementing changes in early 2025.
Services Australia agreed to “implement additional security controls for high-risk transactions across Centrelink, Medicare, and Child Support” by June 2025, including when updating bank account details.
It said it would also “ensure sufficient and consistent verification steps are in place to link agency services to myGov” and would launch a forthcoming security dashboard to quickly show users their security settings.
The agency said a new customer authentication tool would “require a higher level of authentication” for high-risk requests and transactions over the phone and in person by the end of 2025.
Services Australia said it was also undertaking work to evaluate its operating legislation and improve information sharing between government services.
An Auditor-General's report released in June found Services Australia was unprepared for “a significant or reportable cyber security incident” and was a target for criminals given the sensitive data it handled.