An Ombudsman’s report has highlighted serious issues with myGov’s security.

An investigation by the Office of the Commonwealth Ombudsman has revealed significant shortcomings in the security measures of Services Australia’s myGov platform.

Its review found particular issues in relation to unauthorised account linking, a growing method of identity theft and fraud. 

The investigation, which was prompted by escalating reports of fraud and complaints from affected individuals, highlighted serious vulnerabilities in the system that could have been prevented with stronger security controls.

In 2022, media reports brought attention to a surge in tax fraud incidents, where fraudsters linked genuine taxpayer records to fraudulent myGov accounts. 

This allowed them to lodge false tax returns and claim refunds under stolen identities. 

The Ombudsman’s Office also received multiple complaints concerning unauthorised linking in Centrelink and Medicare accounts, prompting an inquiry into Services Australia’s management of these risks.

Unauthorised linking occurs when a legitimate customer’s member service account, such as those held with Centrelink, Medicare, or the Australian Taxation Office (ATO), is linked to a fake myGov account without the customer’s knowledge or permission. 

This type of fraud typically involves identity theft, where fraudsters use stolen personal information to bypass security checks and gain access to the victim’s accounts.

The Ombudsman’s report identified several critical issues within the myGov platform:

  • Inadequate Security Controls: The investigation found that myGov’s current security measures are insufficient to protect users from unauthorised linking when identity theft occurs. The reliance on individual member service’s proof of record ownership (PORO) processes as a preventive measure was deemed inadequate, especially given the variability in these processes across different services.

  • Lack of Coordination Across Member Services: The report highlighted a lack of formal processes for managing shared risks within the myGov ecosystem. This lack of coordination has hindered Services Australia’s ability to provide a unified response to fraud and data breaches reported by customers.

  • Insufficient Verification for High-Risk Transactions: The investigation revealed that high-risk transactions, such as linking accounts, updating contact information, or changing bank details, often lacked sufficient verification measures. Currently, myGov does not require additional security checks once a user is signed in, leaving the platform vulnerable to exploitation.

  • Legislative Limitations: Services Australia’s response to fraud incidents may be constrained by its enabling legislation, which restricts the sharing of information between its member services, even in cases of confirmed data breaches. This legal obstacle prevents a coordinated effort to protect affected accounts across multiple services.

The Ombudsman made four key recommendations to enhance the security of myGov and its linked services:

  • Review and Standardise PORO Processes: Services Australia should assess and standardise the proof of record ownership requirements across all member services to mitigate shared risks.

  • Implement Additional Security Controls: The introduction of two-factor authentication and other enhanced security measures for high-risk transactions across all service delivery channels is recommended to protect against unauthorised access.

  • Formalise Risk Management Processes: A formal process for identifying, assessing, and managing shared risks across the myGov ecosystem should be established, ensuring consistent security across all services.

  • Seek Legal Advice on Information Sharing: Services Australia should obtain external legal advice to explore options for greater information sharing among member services to proactively combat fraud while adhering to legislative obligations.

Services Australia has acknowledged the findings and accepted all recommendations made by the Ombudsman. 

The agency emphasised its commitment to strengthening myGov’s security in response to the increasingly sophisticated cyber threat environment. 

Services Australia says it is already working on implementing passkeys, which offer enhanced protection against phishing and unauthorised access.
The agency also highlighted ongoing efforts to collaborate with member services to improve overall system security.