ATO deals with 3 million cyber attacks each month

This article was current at the time of publication.

How safe is your accounting practice and, more to the point, how safe are your clients?

It’s a question all practitioners should be asking given the rapid escalation of cyber attacks launched against Australian businesses and individuals.

Indeed, even the Australian Tax Office (ATO) is dealing with a constant barrage of cyber attacks.

ATO Second Commissioner Jeremy Hirschhorn highlighted this in a recent presentation to the Tax Institute, telling the audience that by the time he finished his 40-minute address there would have been 4000 attempts to hack the ATO’s systems.

His calculation was based on an average of 3 million cyber attacks being launched against the ATO every month as criminals attempt to access Australian taxpayer data.

Graham Chee FCPA, Managing Director of cybersecurity risk consultancy BCyber, says fraudsters have even been posing as ATO representatives to trick taxpayers into handing over personal information or money.

“In some cases, scammers have gone so far as to spoof the phone number of the ATO’s official contact centre, making it appear as though the call is coming from a legitimate source,” Chee says.

Accounting firms face severe risks

Accounting firms are also prime targets for hackers wanting to steal highly confidential client data – especially tax file numbers (TFNs) – which can potentially be sold online to other criminals.

“TFN information is involved in almost 20 per cent of all reported data breaches,” says Nicole Gabryk, Special Counsel in cyber, privacy and data security at insurance law firm Wotton + Kearney.

“We see accounting firms being hit frequently, [as well as] tax professionals,” Gabryk says. 

“Industry professionals need to realise that the type of data they hold is very valuable to cybercriminals and it comprises a large percentage of the types of data involved in almost every single data breach.”

There’s been a surge in ransom attacks where hackers break into accounting networks and steal client data, and then demand large payments – usually in a cryptocurrency – for its “safe return”.

In most cases, even when a ransom is paid, the stolen data isn’t returned.

Cyber security companies overseas have also recently reported cases of phishing attacks from cybercriminals posing as potential new tax clients.

They involve sending emails to tax practitioners which have documents embedded with remote access software. When opened, hackers can not only access the computer of the person who clicked on the document but their entire computer network.

“The root cause is an error in the way in which information is dealt with and people clicking on links they shouldn’t and downloading documents they shouldn’t,” Gabryk says. 

“That then creates a portal into the systems which can be exploited by threat actors.”

ATO protective measures

The ATO has detailed guidance for tax professionals on its website, which includes steps to take in the event of a data breach.

It recommends contacting the ATO’s Client Identity Support Centre as soon as possible, ensuring compliance with client notification obligations under the Privacy Act and reviewing the Tax Practitioners Board (TPB) information on how the Notifiable Data Breaches scheme can impact TPB registrations.

The ATO advises that impacted firms should inform all affected clients and staff, software providers, and take steps to review systems access and controls.

Once the ATO is made aware of a data breach it can impose a range of measures including requiring affected clients to provide additional proof of identity when dealing with the ATO. 

It will also monitor a client’s ATO records to identify irregular activity and may also activate additional security measures such as blocking or limiting access to online services, including myGov.

In some cases, it may assign a data breach manager to assist in the management of data breaches within a practice.

The ATO can place a protective block on your client so they’re not susceptible to fraud, although this can lead to administrative delays for that client and your practice, especially around tax time.

“It’s good that the mechanism exists, but it can be quite cumbersome for tax professionals every time they need to deal with the ATO to access anything they need around a client’s TFN,” Gabryk says.

Avoiding cyber attacks

CPA Australia has a range of online resources for practitioners around technology, IT risks, and managing cyber security.

The website hub includes links to useful ATO and TPB cyber security tips to ensure practitioners have sufficient IT controls in place to protect the security and confidentiality of client records.

There is a range of simple steps firms can take to tighten their security, including:

• Make sure you keep all antivirus and other protective software updated
• Ensure administrative access to company computers is limited
• Use multifactor security identification to make it more difficult to access systems
• Have strong system password rules and management processes.

Backing up data on an ongoing basis – independent from cloud-based solutions – is also important.

Chee says that just as routine medical and dental check-ups are necessary, practices should get a regular cyber security check-up to help identify potential areas of vulnerability and prevent possible breaches or attacks.

“It's important to remember that cyber security threats constantly evolve, and what may have worked to protect your practice may need more,” Chee says.

“An independent assessment can also provide a valuable benchmark for your practice’s cyber security posture, which can help demonstrate compliance and due diligence to clients, regulators, and other stakeholders. 

“It can also help to build trust and confidence with clients, who may be reassured by knowing that their accountant is taking cyber security seriously and implemented appropriate measures to protect their data.”