The ATO has called on big businesses to remember the ethical importance of data security, following heavy questioning at the royal commission over Robodebt.
Jeremy Hirschhorn, the Australian Taxation Office’s (ATO) second commissioner for client engagement was present at the royal commission only weeks ago, being interrogated on the Robodebt scheme, which saw the Department of Human Services illegally use data from the ATO to automatically calculate debt and overpayments within Centrelink.
As the debt calculated was often wrong, leading to individuals paying more than they owed, Mr Hirschhorn was being questioned as to why the ATO didn’t speak up.
Now, he has come out during his speech at the AFR’s CFO Live Summit stating that businesses need to place a greater focus on the morality of data collection and use.
“I would urge senior leaders of organisations to make sure that your people do not get excessively focused on the legal and technical aspects of the use of data, and forget the ethical aspects,” he said.
Mr Hirschhorn has also said that many organisations’ cyber security practices have gaps when it comes to identity fraud.
“An important development is the rise of cyber-enabled fraud at scale (such as identity and information theft). Many organisations have focused on traditional cyber security but may have a blind spot in relation to cyber-enabled identity fraud (identity fraud may have been treated as a series of ‘one-off’ events). However, as criminals become more sophisticated, and large data leaks more common, the risk of an ‘at scale’ cyber identity fraud has dramatically increased.”
The ATO is indeed in a position to warn the industry of the woes of data storage, being one of the largest data collectors in the country.
“Operating in an increasingly digital environment means we must consider how we ensure the reliability of our digital services and safeguard our systems from ever-evolving cyber threats and fraud attempts,” said Hirschhorn.
“To give you a sense of scale, the ATO holds about 50 petabytes of actively used data and processes about 20 billion transactions each year. On any given day, our systems block an average of approximately 90,000 malicious (attempted) connections per day — this is even higher during tax time — so about 3 million per month or one per second.”
However, with the ATO being such a large collector and protector of data, its ramp-up in security spending is set to have a trickle-down effect, leaving smaller organisations in the tax industry more vulnerable.
“As we harden our systems, criminals are seeking to access the broader tax system through other channels, like tax agent systems, superannuation funds or even taking over the identity of directors. Increasingly, we are seeing cascading penetration attempts, where criminals attempt to obtain information from different places before putting it together for fraud attempts.”
Despite the ATO’s best efforts, ATO details, along with MyGov and NDIS details were recently found for sale online.
The data was found not on the dark web, but on the clear web, meaning it is easily accessible with just a Google search. Alongside a price tag as low as US$1, cyber security experts have expressed concern over the ease of access for cyber criminals.
“There’s a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they’re not above buying tools or buying information from criminals either,” said CyberCX director of intelligence Katherine Mansted.
You are not authorised to post comments.
Comments will undergo moderation before they get published.