Show download pdf controls
  • Data breach guidance for tax professionals

    Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.

    Data breaches are often a precursor for refund fraud. We have sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud that assist in meeting our obligation to protect government revenue.

    Data breaches and client protection

    As tax professionals hold a large amount of client, staff and business information they have become a target for identity thieves.

    Tax professionals who experience a data breach may discover their client's identities have been stolen, and refund fraud committed in the client's name.

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    Examples of data breaches include but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent means
    • accessing taxpayer files using a fraudulently obtained credential, such as myGovID
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information – for example, records emailed to an unauthorised third party, or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud based accounting software you use to store information.

    What we recommend you do

    Tax professionals are encouraged to report data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm.

    If you have experienced a breach we recommend the following actions.

    • Contact us as soon as practicable on 1800 467 033 Monday to Friday, 8.00am–6.00pm so that we may apply measures to protect your business, staff and clients where necessary.
    • Review this guidance materialExternal Link on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS).    
      • Note: For information on how compliance with the NDBS can impact your Tax Practitioners Board (TPB) registration, refer to the advice provided on the TPB websiteExternal Link
    • Inform impacted clients and staff of the data breach. We may also contact your clients or staff directly.
    • Contact your software provider if you suspect the breach may have originated in one of their service offerings.
    • Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to report inappropriate access to your myGovID
    • Take steps to secure the information in your business by ensuring all security software and controls are up-to-date.
    • Review systems access and remove it for people who no longer require it.
    • Continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

    If you or your clients are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    Case study: Stolen equipment

    A tax agent reported the loss of a laptop and documents stolen from their vehicle to the ATO. The items contained confidential information including business credentials and records for individual and business entities belonging to the tax agent. Potential identity theft and the lodgement of fraudulent PAYG summaries (using their ABN) on their clients’ accounts were later confirmed.

    Protective measures were applied within our systems to client accounts, entity accounts and employee accounts relating to the business.

    Reports of stolen equipment and data used for business are a regular occurrence. There are a number of ways in which the data you hold on behalf of your clients, employees and your business can be stolen. Methods include dumpster diving, letterbox theft, paper or electronic files left unattended, cards stolen from wallets, and stolen briefcases or laptops.

    Keep your client and business information safe; do not leave your information unattended and be sure to secure your electronic devices. Ensure client and staff data is securely stored at the end of each day and apply two factor authentication to all devices used for your business.

    Case study: Ransomware

    A tax agent reported an incident in which they received an authentic looking email from a large Australian business requesting information. The agent clicked an embedded link within the email which released a 'crypto virus' that locked their computer systems. Fortunately their IT specialist was able to recover their systems, but the security of their data was put at risk. They have since added additional measures to protect their systems and data holdings from future attacks.

    We sought the names of potentially compromised clients and applied protective measures within our systems to their accounts, including impacted entity accounts and employee accounts.

    There are many variations of ransomware that can impact business systems and data in different ways. At the time of ransomware attacks it’s impossible to know precisely what a virus will do. Infected links can trigger ransomware to spread into computer systems and silently steal information. Other ransomware is used to extort money from businesses by locking their computer files using an unbreakable code that only the criminal knows. If ransom money is paid to fraudsters, you may have your systems and data released but you could be targeted again.

    Staff education is critical. Do not click on any links, attempt to open an attachment, download any files, or install applications from emails, because they may install ransomware on your computer. Ensure the security of your data by backing it up. Off-site data storage options can be an effective back-up of your data.

    See also:

    How we protect clients affected by a data breach

    We protect the privacy of client records by our proof of record ownership processes. If a data breach occurs within your practice we may implement a range of additional safeguards to protect clients and government revenue.

    Understanding what treatments we may apply to protect your clients will help you support them.

    Treatment options

    Treatment options can include one or more of the following depending on the severity of the breach and any resultant fraud attempts.

    Additional proof of identity

    We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

    The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not prevent you from dealing with us on behalf of your client or change how we will identify you.

    Asking questions only the genuine client will know assures us we are dealing with the actual client, and not an unauthorised third party.

    Your client may also elect to have a secret password created on their ATO record. The client can complete this with our staff over the phone or by attending one of our shopfronts with proof-of-identity documentation. Secret passwords validate a client’s identity when they deal with us.

    If a client fails to establish proof of identity with us, we will ask them to attend one of our shopfronts to supply full proof-of-identity documentation or complete a tax file number enquiry form on the Australia Post website.

    Additional monitoring processes

    We will continue to monitor your client’s ATO records. If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

    Additional security measures

    Depending on your client’s circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to clients, government revenue or both.

    What this means for your client:

    • the client record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you or your client will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a data breach manager

    In some cases we may assign a data breach manager who will assist you in the management of data breaches within your practice. The data breach manager may provide support to lessen the impact of the data breach on your practice and your client.

    Inappropriate access to myGovID

    myGovID offers a greater level of security with identity document verification, compared to username and password credentials and SMS verification codes.

    If you are aware or suspect someone has inappropriately accessed your personal information in myGovID, you need to report this immediately.

    Contact the myGovID support line on 1300 287 539 (select option 2 for myGovID enquiries) between 8.00am and 6.00pm AEST, Monday to Friday.

    International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8.00am to 5.00pm AEST and request your call be transferred to the myGovID support line.

    See also:

    • Visit myGovIDExternal Link for more information and tips about myGovID security and staying safe online.
    Last modified: 31 Mar 2020QC 54173