ATO ‘vulnerable’ to external cyber attacks

Two of Australia’s biggest government agencies remain vulnerable to cyber attacks from outside sources despite attempts to improve security.


An audit of the Australian Taxation Office and immigration and border protection department found both had a “reasonable” level of protection from unauthorised leaks from within.

But neither were sufficiently protected against external attacks.

Each year the ATO collects more than $440 billion in tax revenue through its electronic lodgement system, while immigration electronically processes around seven million visas.

“Not operating in a cyber-resilient environment puts entities’ data and business processes at risk, with potentially significant consequences for Australian citizens and other clients and stakeholders,” the Australian National Audit Office said in its report, published on Wednesday.

The Department of Human Services, which is in charge of Centrelink, was the only one of the three audited agencies deemed to be “cyber resilient”.

That means it’s able to keep providing services while deterring and responding to cyber attacks, thus reducing the likelihood of a successful attack.

It was also the only one found to have fully complied with four mitigation strategies mandated by the federal government in 2013.

The audit found immigration allowed more than 1400 staff to bypass controls and install and use unauthorised applications on their computers – breaking its own rules and increasing its security risks.

It also found many immigration computers had outdated software, which could also increase security risks if it was no longer supported with regular updates.

Auditors said the ATO and immigration department needed to prioritise cyber security, which both accepted.

The tax office said it has committed additional resources and promised to focus fixing deficiencies.

“Immediate improvements have already been put in place with a commitment to reach cyber resilience status in 2017,” it said.

Immigration said it had continued to improve its cyber security since the last audit in 2014, but recognises it still faces risks and challenges.

By the end of June, the department has promised to deliver several programs it believes will improve compliance and capability as part of a broader five-year program to better resilience.

“These measures will enhance the department’s protection against cyber attacks from external sources and further improve the department’s robust cyber security controls against internal threats,” a spokeswoman told AAP.