myGov / Australian Taxation Office

Summary

The Australian Taxation Office revealed in July 2023 that fraudsters filed $557.8 million in false claims between July 2021 and February 2023 by exploiting a weakness in the myGov identification system. Criminals used personal details stolen from previous data breaches, particularly Optus and Medibank, to create fake myGov accounts linked to real taxpayers' ATO files and redirect tax refunds to their own bank accounts. Over 15,000 individuals were affected, with more than 37,000 business activity statements and individual tax return lodgements cancelled. The fraud exposed critical vulnerabilities in Australia's digital identity verification systems.

What Happened

Between July 2021 and February 2023, fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people's tax refunds to their own bank accounts. The criminals created bogus myGov accounts and linked them to real taxpayers' ATO files using credentials stolen in previous major data breaches, notably the Medibank and Optus breaches.

The fraudsters used personal details from these earlier hacks—including names, dates of birth, addresses, and identity document numbers—to get past ATO identity verification gates. Most of the fraudulent payments were for small amounts (less than $5,000) and were not flagged by the ATO's monitoring systems, allowing the fraud to continue undetected for an extended period.

The information about the fraud became public in July 2023, though the fraudulent activity had been occurring for nearly two years. More than 37,000 business activity statements and individual tax return lodgements were ultimately cancelled, totalling $557.8 million in value.

Impact on Individuals

Over 15,000 individuals had their identities used to file fraudulent tax claims. For these victims, the fraud created multiple problems:

1. Tax return complications: Legitimate tax refunds were delayed or complicated by fraudulent filings
2. Account security concerns: Victims' myGov accounts were compromised or fraudulent accounts created in their names
3. Credit implications: Some victims faced follow-up issues with credit ratings or government debt collection
4. Ongoing vulnerability: Personal details used in the fraud remain exposed from original breaches

The fraud highlighted how data stolen in one breach (Optus, Medibank) could be weaponised to commit fraud against government services years later. Victims of the original breaches faced ongoing consequences as their stolen credentials enabled new waves of criminal activity.

Organisational Response

The ATO worked to identify and cancel fraudulent lodgements, ultimately stopping $557.8 million worth of false claims, though it remains unclear how much money was actually paid out to attackers before detection.

The incident prompted urgent calls to strengthen the myGov identification system. Security experts criticised the "side entrance" vulnerability that allowed fraudsters to bypass proper identity verification by exploiting weaknesses in account linking processes.

The ATO increased monitoring and implemented additional security controls to detect suspicious patterns of tax filings and refund redirections. However, the fact that most fraudulent payments were small enough to avoid triggering automated alerts revealed significant gaps in the ATO's fraud detection capabilities.

The incident became a major case study in how digital identity systems can be systematically exploited when criminals have access to personal information from previous breaches, underscoring the long-term consequences of major data breaches and the cascading vulnerabilities they create across government services.