Keeping myGov secure
In 2022, media reported escalating incidents of tax fraud committed by unauthorised third parties linking genuine taxpayer records to ‘fake’ myGov accounts. The Office also received and investigated complaints involving unauthorised linking in Centrelink and Medicare accounts.
Unauthorised linking is where a genuine myGov customer's member service account is linked to a 'fake' myGov account without the customer's knowledge or authorisation. This investigation was to look at what Services Australia, as the myGov administrator, is doing to strengthen security for unauthorised linking. It was also to understand why there was an apparent lack of co-ordination across Centrelink and Medicare when helping people impacted by identity theft and my Gov fraud, including unauthorised linking.
Key findings
• myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred.
• The preventative control for unauthorised linking is each individual member service’s ‘proof of record ownership’ (PORO) processes.
• Variability in the standard of proof required to satisfy PORO processes across member services presents shared risk for myGov participants.
• There are no additional security checks to ensure high risk transactions are authorised by the genuine customer.
• An apparent lack of formal processes for managing shared risks across the myGov ecosystem.
• Services Australia’s ability to provide a co-ordinated response to customers reporting data breaches and fraud may be limited by its enabling legislation.
