Australians’ tax details could be at risk after criminals accessed part of the Australian Taxation Office system.
A note from the tax office to tax agents on February 5 urged them to check if their log-in had been used by a third party to access the tax agent portal.
With an agent’s log-in, a criminal has access not only to an agent’s clients but – if they know three pieces of information about a person – to every taxpayer’s information.
Tax agents warned that a criminal with access to the portal could potentially lodge a fake tax return and claim the money themselves or use the information to steal someone’s identity.
The tax office said at least four tax agents had their identity stolen. It did not say whether the agents were small or large in size or how many clients each had.
Tax agents contacted by Fairfax Media said a criminal with access to the tax agent portal and an individual’s tax file number, date of birth and name could access their personal information and re-direct their funds.
‘‘It’s got everything in there,’’ one agent, who did not want to be identified, said.
‘‘In there are all my client’s records pertaining to at least the last three years for personal tax, and, of course, it also has access to the client accounts of companies, superannuation funds, trusts – just about everything.’’
Sydney security expert Chris Gatford, of Hacklabs, said the breach was worrying, and that it was easy for a criminal to get the information needed to invade someone’s records once they had access to the portal.
The tax office did not respond to questions from Fairfax Media, but instead posted a statement in the comments section of an online article about the breach.
It said the contents of the Fairfax article were ‘‘incorrect’’, but
failed to explain what it took
issue with. ‘‘Taxpayer inform-
ation is not at risk,’’ the comment said.
‘‘An AUSkey [into the portal] gives access to a tax agent’s client list, it does not give access to the information of the broader taxpaying community.’’
Several tax experts contacted by Fairfax Media said this was not the case.
Further questions have been asked about whether the tax office has the technical capability to see who exactly has accessed a taxpayer’s records and how many incidents of malicious activity it has detected.
Federal Privacy Commissioner, Timothy Pilgrim, said the tax office had informed him of the incident.
Mr Pilgrim said the tax office told him it had taken steps to fix the security issue and that the privacy commissioner was not investigating ‘‘at this stage’’.
‘‘If any individuals are concerned that their information may have been compromised, they should first contact their tax agent or the [tax office]. If they are not satisfied with the response, they can then lodge a complaint with our office,’’ he said.
Assistant Treasurer David Bradbury declined to comment.