Services Australia urged to tighten myGov security

Services Australia is not doing enough to protect Australians from myGov fraud, an investigation by the Commonwealth Ombudsman has found.

A report detailing the findings of the investigation states that there are inadequate security controls to prevent fraudulent actions such as the unauthorised linking of legitimate myGov accounts to fake accounts created by scammers. Currently the only controls in place to prevent these attacks are the proof of record ownership processes implemented by the individual myGov member service agencies, according to Ombudsman Iain Anderson.

“APS agencies responsible for administering a system or program that involves other agencies, like myGov, should understand the levels of risk across the system and ensure risks that could impact other participants are managed effectively, including through identifying and managing shared risks,” he said.

In addition, the report found that there are no additional security controls in place to ensure high-risk transactions such as changing bank account details are authorised by genuine customers, Anderson said.

The report makes four recommendations and two suggestions for Services Australia aimed at improving security controls for linking and high-risk transactions. The recommendations are also aimed at improving how Services Australia and member services manage shared risks within the myGov ecosystem, as well as Services Australia’s approach to responding to customer reports of fraud and breaches to individual records.

“Given the volume and sensitivity of information held in member service accounts linked to myGov, robust protections to stop fraudsters gaining unauthorised access to myGov accounts are essential,” Anderson said.

He said his office has received reports from citizens about the stress and anxiety they experienced when their personal information was stolen and fraud committed in their name.

“We thank the Ombudsman for his review and we’ve accepted all four recommendations and two suggestions,” said Services Australia General Manager Hank Jongen. “Maintaining the security of myGov and the protection of people’s personal information remains a top priority, and we’re committed to ongoing improvement.

“This investigation provides us with helpful recommendations on how we can further strengthen the security of the myGov platform, including working with member services uplifting security.”

Jongen continued saying that the report provides certainty that Services Australia is on the right path.

“Work is already underway to address the identified issues, as well as other security improvements to ensure myGov remains trusted, safe and secure,” he said. “This includes measures funded through the 2024–25 Budget to improve myGov account security and fraud incident detection.

“We’re pleased the Ombudsman has acknowledged the security checks already in place to help protect people’s accounts. These include secure sign-in options like passkeys, Digital ID and two-factor authentication, as well as locking myGov accounts and alerting customers to potential unauthorised access.

“In a challenging global security environment, myGov is continually evolving to meet the ongoing challenges of increasingly sophisticated and numerous scams, identity theft and other cybersecurity threats,” he concluded.

The full report from the Commonwealth Ombudsman is available here.

This item was updated 09/08/2024.

Image credit: iStock.com/Thx4Stock