Ombudsman finds more can be done to protect Australians from myGov fraud

The Commonwealth Ombudsman has released the investigation report, ‘Keeping myGov secure – An investigation into Services Australia’s response to myGov fraud arising from unauthorised linking to member service accounts.

Commonwealth Ombudsman, Iain Anderson said: “myGov fraud causes affected Australians stress, anxiety and frustration. Following complaints to my Office, and media reports about incidents of tax fraud linked to myGov. I commenced an investigation based on concerns previously raised with Services Australia that there were not adequate security controls in place to protect people from the impact of myGov fraud.”

“Unauthorised linking” is where a genuine myGov customer’s member service account is linked without their knowledge to a ‘fake’ myGov account created by a fraudster. The investigation found that preventative security controls for unauthorised linking are limited to the proof of record ownership processes that are implemented by the individual myGov member service agencies. These processes vary across those individual agencies.

There are no additional security controls in place to ensure high-risk transactions such as changing bank account details are authorised by genuine customers, presenting a shared risk to all myGov participants.

Mr Anderson noted, “APS agencies responsible for administering a system or program that involves other agencies, like myGov, should understand the levels of risk across the system and ensure risks that could impact other participants are managed effectively, including through identifying and managing shared risks.”

The Ombudsman made four recommendations and two suggestions to Services Australia aimed at improving:

• the security controls for unauthorised linking and high-risk transactions

• how Services Australia and individual member services manage shared risks within the myGov ecosystem

• Services Australia’s approach to responding to customer reports of fraud and breaches to individual records across its three member services.

Reflecting on the importance of APS agencies putting people at the centre of public administration, Mr Anderson said:

“People have told us about the stress and anxiety they experienced when their personal information was stolen, and fraud committed in their name. In these circumstances, it is particularly important that Services Australia provide accessible, consistent and clear information to help people.”

Services Australia accepted the Ombudsman’s recommendations and suggestions.

Services Australia General Manager Hank Jongen said: “We thank the Ombudsman for his review and we’ve accepted all four recommendations and two suggestions. 

“We understand it can be a stressful experience if people’s myGov or linked service is compromised by scammers. 

“Maintaining the security of myGov and the protection of people’s personal information remains a top priority, and we’re committed to ongoing improvement,” said Mr Jongen.

Services Australia said the investigation provided helpful recommendations on how they can further strengthen the security of the myGov platform, including working with member services uplifting security. 

“Work is already underway to address the identified issues, as well as other security improvements to ensure myGov remains trusted, safe and secure,” said Mr Jongen.

“We’re pleased the Ombudsman has acknowledged the security checks already in place to help protect people’s accounts. 

“In a challenging global security environment, myGov is continually evolving to meet the ongoing challenges of increasingly sophisticated and numerous scams, identity theft and other cyber security threats.

“We also work with our customers to educate them on steps they can take to keep their account safe and includes information about scams, what to do if they’ve been affected, and how to improve the security of their myGov account” said Mr Jongen.  

More information can be found at my.gov.au/scams

The response and planned actions to implement the Ombudsman’s recommendations are at Appendix A to the report.

Mr Anderson said, “Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential.”

The Office will monitor the implementation actions in accordance with its usual monitoring practices.

The full report is available via our website here: https://bit.ly/4fuVfcL

For more information visit www.ombudsman.gov.au