You have 0 free articles left this month.
Register for a free account to access unlimited free content.
accountants daily logo

ATO flags big ‘nuclear proof’ systems shift with tax, BAS agents


The tax office is shifting its approach to protecting and maintaining the digital systems used by accounting professionals, but remains well behind schedule with the rollout of its new portals for tax and BAS agents.

By Jotham Lian 12 minute read

Speaking at the Accountants Technology Showcase Australia 2017, ATO chief digital officer and deputy commissioner John Dardo said existing ATO systems are now complemented by a more resilient, additional cloud-based gateway.

“We have two data centres, you know those nuclear proof, bullet proof type environments with power that runs from multiple grids and multiple phone systems connected to it. We have two of those and our [standard business reporting] systems start in a gateway that use those data centres," Mr Dardo said.

“Since July this year, we have slowly been turning on a second gateway for SBR and that second gateway is sitting in the cloud.


“That second gateway has multiple instances in multiple locations with more resilience than even our premises do, more resilience than our data centres do,” he added.

“This slowly increases the resilience of the systems that talk to software and banks and super but we also have to focus on the resilience of the bits that still sit in the data centre that these other places consume.”

Mr Dardo, who moved into his role in April this year, took time to defend the series of outages that plagued the ATO’s portals this year.

“Those outages were not because of an under investment. We had best of breed kit and best of breed provider, so it wasn't an under investment by the ATO that resulted in those outages,” Mr Dardo said.

“[The same] kits that are installed in banks, in insurance companies and telegram companies around the world so it was not an expected thing to have it fail in the way that it did. 

“But having come into that space and seen how much work was being put into it by the IT guys that actually recovered it from those outages and be ready for tax time, I'm in awe of the work that they did.”

Managing cyber risks

Mr Dardo said the ATO would be moving to offer multi-factor authentication such as Touch ID on a mobile device, after highlighting the risk of single-factor authentication used in practices, whereby only one password is needed to access systems.

An example comes in the form of a credential stuffing attack, where a hacker looks for compromised usernames and passwords on the dark web and matches it to a victim’s existing accounts and hijacks it.

“A credential stuffing attack in a leveraged environment, for a tax practitioner or a BAS agent, has leveraged consequences — it's not just the practice that is compromised, it's every client of that practice that is compromised with them,” Mr Dardo said.

“What that means is that if a practitioner chooses to use the same password for a common service such as PayPal, LinkedIn, etc., that then becomes compromised and available on the dark web, every single client that uses that practitioner is compromised — every individual, every business, every employee of every business.

“So any environment that uses a single factor password potentially becomes vulnerable to a credential stuffing attack and we have seen those attacks in accounting software.”

Jotham Lian

Jotham Lian


Jotham Lian is the editor of Accountants Daily, the leading source of breaking news, analysis and insight for Australian accounting professionals.

Before joining the team in 2017, Jotham wrote for a range of national mastheads including the Sydney Morning Herald, and Channel NewsAsia.

You can email Jotham at: This email address is being protected from spambots. You need JavaScript enabled to view it. 

You are not authorised to post comments.

Comments will undergo moderation before they get published.

accountants daily logo Newsletter

Receive breaking news directly to your inbox each day.