Speaking at the Accountants Technology Showcase Australia 2017, ATO chief digital officer and deputy commissioner John Dardo said existing ATO systems are now complemented by a more resilient, additional cloud-based gateway.
“We have two data centres, you know those nuclear proof, bullet proof type environments with power that runs from multiple grids and multiple phone systems connected to it. We have two of those and our [standard business reporting] systems start in a gateway that use those data centres," Mr Dardo said.
“Since July this year, we have slowly been turning on a second gateway for SBR and that second gateway is sitting in the cloud.
“That second gateway has multiple instances in multiple locations with more resilience than even our premises do, more resilience than our data centres do,” he added.
“This slowly increases the resilience of the systems that talk to software and banks and super but we also have to focus on the resilience of the bits that still sit in the data centre that these other places consume.”
Mr Dardo, who moved into his role in April this year, took time to defend the series of outages that plagued the ATO’s portals this year.
“Those outages were not because of an under investment. We had best of breed kit and best of breed provider, so it wasn't an under investment by the ATO that resulted in those outages,” Mr Dardo said.
“[The same] kits that are installed in banks, in insurance companies and telegram companies around the world so it was not an expected thing to have it fail in the way that it did.
“But having come into that space and seen how much work was being put into it by the IT guys that actually recovered it from those outages and be ready for tax time, I'm in awe of the work that they did.”
Managing cyber risks
Mr Dardo said the ATO would be moving to offer multi-factor authentication such as Touch ID on a mobile device, after highlighting the risk of single-factor authentication used in practices, whereby only one password is needed to access systems.
An example comes in the form of a credential stuffing attack, where a hacker looks for compromised usernames and passwords on the dark web and matches it to a victim’s existing accounts and hijacks it.
“A credential stuffing attack in a leveraged environment, for a tax practitioner or a BAS agent, has leveraged consequences — it's not just the practice that is compromised, it's every client of that practice that is compromised with them,” Mr Dardo said.
“What that means is that if a practitioner chooses to use the same password for a common service such as PayPal, LinkedIn, etc., that then becomes compromised and available on the dark web, every single client that uses that practitioner is compromised — every individual, every business, every employee of every business.
“So any environment that uses a single factor password potentially becomes vulnerable to a credential stuffing attack and we have seen those attacks in accounting software.”