Criminals exploiting a loophole in the government’s digital identity systems filed more than $550 million in false claims over the last two financial years, the ATO has disclosed.
The ABC reported this morning that criminals had found they could create bogus myGov accounts, and then link them to real taxpayers’ ATO files.
An earlier December 2022 investigation found attackers were using customer identity information stolen in high-profile data breaches like Optus and Medibank as part of the fraud.
In information released under FoI [pdf], the ATO said more than 15,000 individuals were affected over the two years, with more than 37,000 business activity statements and individual tax return lodgements cancelled, to a total value of $557.8 million.
Some of the false filings were cancelled before they were paid, so it’s not possible to ascertain how much money was actually paid out to the attackers.
The ATO’s response to the FOI covers the two years to February 28, meaning the cost of the fraud could be more for the whole of the 2022-23 financial year.
The ABC reported that the ATO was also uncertain about how much of the $557.8 million was directly attributable to the myGov loophole.
ATO second commissioner Jeremy Hirschhorn told the ABC that the agency was “managing an acceptable level of risk”.
He said the myGov and ATO settings were designed to make systems easy to access for taxpayers, but hard to access for criminals.