Commonwealth Ombudsman criticises myGov security controls

  • Yasmine Raso
  • 14 August 2024
mygov

The Commonwealth Ombudsman has criticised myGov’s lack of security protocols and Services Australia’s response to reports of systemic fraud in its latest investigative report.

The ombudsman first commenced an investigation into myGov and Services Australia after news reports surfaced in 2022 of “escalating incidents of tax fraud committed by unauthorised third parties linking genuine taxpayer records to ‘fake’ myGov accounts” as well as with Centrelink and Medicare accounts.

The investigation inquired after Services Australia’s actions to strengthen security measures to combat unauthorised linking and questioned the lack of coordination and interoperability across to Centrelink and Medicare when it came to supporting victims of identity theft and fraud.

The ombudsman made several findings as a result of its investigation, including:

  • “myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred;
  • The preventative control for unauthorised linking is each individual member service’s ‘proof of record ownership’ (PORO) processes;
  • Variability in the standard of proof required to satisfy PORO processes across member services presents shared risk for myGov participants;
  • There are no additional security checks to ensure high risk transactions are authorised by the genuine customer;
  • An apparent lack of formal processes for managing shared risks across the myGov ecosystem; and
  • Services Australia’s ability to provide a co-ordinated response to customers reporting data breaches and fraud may be limited by its enabling legislation.”

It also found that in cases where cybercriminals had used stolen information to access genuine myGov accounts, they were generally presented with no further challenges or multi-factor authentication (MFA) prompts when changing personal details, bank accounts or linking to other digital government services or accounts.

“In response to this investigation, Services Australia explained myGov was designed with the ability to open multiple myGov accounts, to avoid becoming a central database of information with a unique government identifier issued,” the ombudsman said.

“In practice, a single user can create as many myGov accounts as they wish, with the only limitation being that each account must be established using an email address that has not already been used to create a myGov account.”

The ombudsman made four recommendations and two suggestions for Services Australia to improve their security processes, including:

  • Consistent with its responsibilities for driving improvement in fraud control practices, we recommend Services Australia:
    • assess existing PORO processes across the myGov ecosystem to identify and document shared risks and work with member services to agree and implement appropriate controls; and
    • consider establishing baseline PORO requirements which must be met by all member services.
  • We recommend Services Australia implement additional security controls such as two factor authentication across its three member services for all high risk transactions, including linking a member service account to myGov and updating contact and bank account details.
    • Services Australia should ensure that a high standard of security settings for high risk transactions applies consistently across all available service delivery channels for its member services.
  • We recommend Services Australia establish formal processes for managing all shared risks across the myGov ecosystem, including identifying, assessing and documenting shared risks, periodically assessing the effectiveness of agreed controls, and responding to indications that risk assessments should be updated.
  • We recommend Services Australia seek external legal advice about options to facilitate a greater level of information sharing across linked member services and support member services to act proactively to reduce fraud risk or other unlawful activity while meeting their other legislative obligations.
  • We suggest Services Australia share learnings and information about its authentication and PORO processes with other myGov member services to support them to build their capability.
  • We suggest Services Australia regularly reviews and updates its communications regarding potential myGov and member service account breaches, including security notifications, staff guidance and online content, to ensure people are supported to take real time action to mitigate breaches to their myGov and or linked member service accounts.

“We are pleased to note Services Australia’s response to this investigation reflects plans to implement a range of future fraud control initiatives including a focus on improving users’ ability to proactively identify and respond to fraud and security incidents in their accounts.”

Share This Post
Related News
ai commerce
Treasury questions strength of consumer protections against AI
Microsoft Copilot
Govt reports on ‘efficiency gains’ post-Microsoft Copilot trial
digital health
Minister flags ‘sharing by default’ mandate for digital health record
AI Factory launch
DTA pilots AI assurance framework with select depts., agencies
OAIC advises on AI privacy regulations
OAIC offers guidance to businesses on Privacy Act-compliant AI adoption