Speaking on the ATO’s Tax Time Cyber Security webinar, ATO chief information security officer, Jamie Norton said there were a number of breaches ranging from insider threats to software intrusions that have led to serious consequences for accounting firms.
In one instance last year, a cyber-criminal remotely authenticated to one of the accounting firm’s internet facing servers that was running a remote desktop protocol by forcefully bypassing the accounting username and password as they were weak.
In doing so, the cyber-criminal was able to access client payroll data, change payroll bank details, lodge fraudulent tax return amendments, and access and rollover SMSF account balances to another superannuation account.
“Once the attackers did have access to a very insecure way of providing access to an organisation by using weak usernames and passwords, they were about to create a lot of havoc, do a lot of fraudulent activity and get a lot of money out of the organisations,” said Australian Cyber Security Centre (ACSC) director, Nathan Morelli.
“It really means that everyone is a potential target, that you’ve got to make that assumption in your organisation that your data is invaluable, that you need to protect it and that you should be prepared that an event will happen and who you need to contact , who you need to engage to restore your business in those situations.”
Further, Mr Norton also highlighted the risk of insider threats, where employees, either past or present, fraudulently access data.
“[There was an example of] an employee stealing client details, enabling them to use the AUSkey fraudulently and gain access to system. Whilst we were able to address that and cancel the AUSkeys, it nonetheless highlights how we need to remain vigilant and ensure we are securing client data,” said Mr Norton.
“If someone has left your organisation, if they have been terminated, make sure that passwords are changed for systems they may have access to because we do see scenarios where ex-employees are able to come in and potentially delete data or erase data.
“In the event of a breach, we recommend you contact us as soon as possible so we can take measures to protect your client records, government revenue and also superannuation investments. There are a number of activities we can take as the ATO to protect client information and data.”
Mandatory data breach laws came into effect earlier this year, and requires firms to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
The Notifiable Data Breaches (NDB) scheme has significant application to tax professionals as it covers individuals who receive and handle tax file numbers (TFN), as well as entities covered by the Privacy Act.
According to the ACSC, 59 per cent of Australian businesses are interrupted by cyber breaches every month, with 80 per cent of hacking-related breaches involving weak or stolen passwords.
“Cyber-crime is estimated to cost Australian $1 billion each year and by some estimates the real impact to Australians can come up to $17 billion annually,” said Mr Morelli.
“Using strong passwords on all accounts and encouraging staff to do the same is one of the most simple and effective measures a business can take to protect themselves online.”