Users of myGov aren’t adequately protected from fraud and Services Australia needs to improve and co-ordinate security across all government entities connected to it, the Commonwealth Ombudsman says.
MyGov was launched in 2013 as the federal government’s front door for digital services across 17 entities, including Centrelink, Medicare and the ATO.
However in recent years the platform has increasingly been the target of cybercriminals and fraudsters.
In late 2022 a large volume of confidential information, including myGov login details, became available for sale on the internet with reports suggesting that fraudsters were creating fake myGov accounts and using stolen identity information to link them to ATO accounts to lodge false tax returns and claim refunds.
Inquiry launched
The Ombudsman launched an inquiry in response to those reports in 2023.
“We wanted to look at what Services Australia, as the myGov administrator, is doing to strengthen security for unauthorised linking,” Ombudsman Iain Anderson said.
“We also wanted to understand why there was an apparent lack of co-ordination across Centrelink and Medicare when helping people impacted by identity theft and my Gov fraud, including unauthorised linking.”
The investigation found myGov’s current security controls do not adequately protect people from unauthorised linking related to identity theft.
It also found a lack of security checks to ensure high risk transactions – such as changing bank account details – were made by a genuine customer, as well as shortcomings in managing shared risks across the myGov ecosystem, and a limited ability to provide a co-ordinated response when data breaches were reported.
Services Australia needs to step up
Services Australia needs to improve security controls around myGov and do more to protect Australians against online fraud, Mr Anderson’s report, released on Tuesday says.
“Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential,” he said.
Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential.
Commonwealth Ombudsman Iain Anderson
Security controls for unauthorised linking were limited and varied across individual agencies, he found.
“The investigation found that preventative security controls for unauthorised linking are limited to the proof of record ownership processes that are implemented by the individual myGov member service agencies. These processes vary across those individual agencies,” Mr Anderson said.
“APS agencies responsible for administering a system or program that involves other agencies, like myGov, should understand the levels of risk across the system and ensure risks that could impact other participants are managed effectively, including through identifying and managing shared risks.”
Services Australia has accepted the report’s recommendations, which include improving security controls for unauthorised linking and high risk transactions, improving the way agencies manage shared risks across myGov, and improving the way it responds to reports of fraud and data breaches across its member services.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter