Show download pdf controls
  • Data breach guidance for tax professionals

    Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.

    Data breaches are often a precursor for refund fraud. We have sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud that assist in meeting our obligation to protect government revenue.

    Data breaches and client protection

    As tax professionals hold a large amount of client, staff and business information they have become a target for identity thieves.

    Tax professionals who experience a data breach may discover their client's identities have been stolen, and refund fraud committed in the client's name.

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    Examples of data breaches include but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent means
    • accessing taxpayer files using a fraudulently obtained credential, such as an AUSkey
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information – for example, records emailed to an unauthorised third party, or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud based accounting software you use to store information.

    What we recommend you do

    Tax professionals are encouraged to report data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm.

    If you have experienced a breach we recommend the following actions.

    • Contact us as soon as practicable on 1800 467 033 Monday to Friday, 8.00am–6.00pm so that we may apply measures to protect your business, staff and clients where necessary.
    • Review this guidance materialExternal Link on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS).  
      • Note: For information on how compliance with the NDBS can impact your Tax Practitioners Board (TPB) registration, refer to the advice provided on the TPB websiteExternal Link
    • Inform impacted clients and staff of the data breach. We may also contact your clients or staff directly.
    • Contact your software provider if you suspect the breach may have originated in one of their service offerings.
    • Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to cancel your AUSkey.
    • Take steps to secure the information in your business by ensuring all security software and controls are up-to-date.
    • Review systems access and remove it for people who no longer require it.
    • Continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

    If you or your clients are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    Case study: Stolen equipment

    A tax agent reported the loss of a laptop and documents stolen from their vehicle to the ATO. The items contained confidential information including business AUSkey credentials and records for individual and business entities belonging to the tax agent. Potential identity theft and the lodgement of fraudulent PAYG summaries (using their ABN) on their clients’ accounts were later confirmed.

    We worked with the business to cancel AUSkeys and issue new ones. Protective measures were applied within our systems to client accounts, entity accounts and employee accounts relating to the business.

    Reports of stolen equipment and data used for business are a regular occurrence. There are a number of ways in which the data you hold on behalf of your clients, employees and your business can be stolen. Methods include dumpster diving, letterbox theft, paper or electronic files left unattended, cards stolen from wallets, and stolen briefcases or laptops.

    Keep your client and business information safe; do not leave your information unattended and be sure to secure your electronic devices. Ensure client and staff data is securely stored at the end of each day and apply two factor authentication to all devices used for your business.

    Case study: Business email compromise

    Business email compromise presents an increasing risk to business. Attackers gain access to corporate email accounts and spoof the business email address in an attempt to steal personal identifying information or defraud the company, its employees or customers of money.

    Spoofing is where an email is sent from a fake website or email address disguised as a legitimate website or email address, in this case the tax agent. By hovering over the email address, the true source of the email can be identified.

    A recent report advised a tax agent’s email address was spoofed by a fraudster. The fraudster sent an email, which seemed legitimate, to the agent’s client list asking them to complete a personal data request form. This was an attempt to harvest client identifying information with the aim to commit future identity and tax fraud.

    We took immediate action and applied protective measures within our systems to affected client accounts, entity accounts and employee accounts.

    Cyber and phishing attacks can be deadly for business and are often the precursor to further attacks on your client, business and employee data. If you receive a suspected scam phishing email, do not click on any links, attempt to open the attachment, download any files, or install applications; these files may install a virus on your computer in an attempt to steal identity credentials.

    Case study: Ransomware

    A tax agent reported an incident in which they received an authentic looking email from a large Australian business requesting information. The agent clicked an embedded link within the email which released a 'crypto virus' that locked their computer systems. Fortunately their IT specialist was able to recover their systems, but the security of their data was put at risk. They have since added additional measures to protect their systems and data holdings from future attacks.

    We sought the names of potentially compromised clients and applied protective measures within our systems to their accounts, including impacted entity accounts and employee accounts.

    There are many variations of ransomware that can impact business systems and data in different ways. At the time of ransomware attacks it’s impossible to know precisely what a virus will do. Infected links can trigger ransomware to spread into computer systems and silently steal information. Other ransomware is used to extort money from businesses by locking their computer files using an unbreakable code that only the criminal knows. If ransom money is paid to fraudsters, you may have your systems and data released but you could be targeted again.

    Staff education is critical. Do not click on any links, attempt to open an attachment, download any files, or install applications from emails, because they may install ransomware on your computer. Ensure the security of your data by backing it up. Off-site data storage options can be an effective back-up of your data.

    See also:

    How we protect clients affected by a data breach

    We protect the privacy of client records by our proof of record ownership processes. If a data breach occurs within your practice we may implement a range of additional safeguards to protect clients and government revenue.

    Understanding what treatments we may apply to protect your clients will help you support them.

    Treatment options

    Treatment options can include one or more of the following depending on the severity of the breach and any resultant fraud attempts.

    Additional proof of identity

    We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

    The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not prevent you from dealing with us on behalf of your client or change how we will identify you.

    Asking questions only the genuine client will know assures us we are dealing with the actual client, and not an unauthorised third party.

    Your client may also elect to have a secret password created on their ATO record. The client can complete this with our staff over the phone or by attending one of our shopfronts with proof-of-identity documentation. Secret passwords validate a client’s identity when they deal with us.

    If a client fails to establish proof of identity with us, we will ask them to attend one of our shopfronts to supply full proof-of-identity documentation or complete a tax file number enquiry form on the Australia Post website.

    Additional monitoring processes

    We will continue to monitor your client’s ATO records. If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

    Additional security measures

    Depending on your client’s circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to clients, government revenue or both.

    What this means for your client:

    • AUSkey applications will be delayed while we confirm the validity of the application
    • the client record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you or your client will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a data breach manager

    In some cases we may assign a data breach manager who will assist you in the management of data breaches within your practice. The data breach manager may provide support to lessen the impact of the data breach on your practice and your client.

    Change AUSkey password

    If you are aware or suspect that your AUSkey has been compromised, we recommend you log in to the Australian Business Register AUSkey website and change your password.

    If you are a standard AUSkey holder you should also inform the AUSkey Administrator.

    If you are the Administrator AUSkey holder you should cancel an AUSkey when you are alerted to unauthorised access. You should also:

    • check AUSkey Manager and confirm all transactions are legitimate
    • regularly log in to AUSkey Manager to ensure only those authorised to have access to the portals hold active AUSkeys
    • cancel AUSkeys for staff who no longer require them
    • remove access immediately if your client has any concerns about an individual AUSkey holder's activities
    • ensure any employee who deals with us online on behalf of your business has their own AUSkey
    • keep AUSkey passwords secure – they should not be shared.

    See also:

    • Further information on how to change your password is available on the AUSkey websiteExternal Link.
    • Contact the AUSkey technical helpline for assistance on 1300 AUSKEY (1300 287 539)
    Last modified: 07 Dec 2018QC 54173