A new report into the security of Australians' myGov accounts has revealed serious vulnerabilities and exposed how hackers have exploited account-linking technology to steal from Centrelink, Medicare and Australian Taxation Office accounts.
It found hackers were exploiting Medicare and Centrelink accounts through the myGov platform by linking them to bogus myGov accounts and making bogus tax claims worth thousands of dollars, or falsely claiming support payments.
The practice is called "unauthorised linking" — where a genuine myGov customer's member service account is linked to a 'fake' myGov account by another party, without authorisation.
Many victims had their accounts locked and payments suspended, causing further harm, according to a report by Ombudsman Iain Anderson.
The report follows an inquiry sparked by the discovery of large volumes of confidential information, including MyGov login details, that were being sold online.
Anderson's report into myGov fraud found "myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred".
The Ombudsman made four recommendations for Services Australia to upgrade its security, all of which it accepted.
Services Australia and partners responded to more than 6,000 scams attempting to impersonate MyGov in 2023, Government Services Minister Bill Shorten said in April.
How hackers exploit myGov accounts
The ombudsman said he received complaints from people affected by fraudsters using stolen personal information to access their Centrelink, Medicare and ATO online accounts through myGov.
There were various ways personal information was stolen including targeted attacks, phishing scams, buying someone's information through the dark web or collecting personal information from documents found in household or business refuse or stolen from mailboxes.
The perpetrators then submitted false claims for Centrelink payments, advances and loans in the victims' names and redirected their pension payments.
Some victims were then unable to claim financial assistance, such as the Child Care Subsidy, until Services Australia and its members completed their investigations.
What did the ombudsman's report find?
The investigation found myGov’s security controls don't protect people from their accounts being linked and exploited once their data has been stolen.
The report also found there are not enough security checks to ensure that customers are genuine, particularly around changing bank details.
It highlighted unauthorised linking as a serious problem that could be fixed by requiring greater proof to link Medicare and Centrelink accounts to the myGov central hub.
"We found that overall, the current security measures focus on stopping fraudsters getting into genuine customer myGov accounts, but do not necessarily prevent them taking a side entrance to member service accounts through unauthorised linking," the report reads.
The report recommended changes to how Services Australia manages the security of the account linking, including two-factor authentification for every high-risk transaction, including changing bank account details.
It also recommended setting up a formal process to investigate and rectify breaches and seek further external legal advice on greater information sharing between services.
How has Services Australia responded?
Services Australia acting chief executive Jarrod Howard said the organisation welcomed the ombudsman's investigation.
"Services Australia is committed to protecting people from identity theft and scammers," he wrote in a letter attached in the report.
"The investigation provides us with helpful recommendations for how we can further strengthen the security of the myGov platform, the role of member services to uplift security and provides us with certainty that we are on the right path with a number of measures we already have underway."