The Prime Minister reported in June, that there had been an increase in cyber incidents in the community over recent months.
The ATO has witnessed an increase in the number of organisations and individuals reporting cyber incidents resulting in the exfiltration of personally identifying information, not necessarily limited to TFNs.
Steps the ATO, and stakeholders take:
The ATO relies on individuals and organisations, including tax practitioners, who have been impacted by a cyber incident to self-report. However, in some instances the ATO will reach out to individuals and organisations it suspects of having suffered a cyber incident to discuss the possibility of TFNs and/or other personally identifying information having been compromised.
The ATO has a number of options available to protect these accounts and detect fraudulent transactions. The option taken depends on the level of risk associated with the incident.
Potential impacts to Tax Practitioners on protective measures applied:
Some of the protective measures will prevent access to ATO online for the individuals, which means that they will need to contact the ATO to confirm their identity so the measures can be temporarily lifted.
The ATO acknowledges that these measures may be disruptive, but we have processes in place to minimise the disruptions.
Although the measures will not prevent tax professionals’ access to the records, they will not be able to perform some functions without first requesting that the measures be temporarily lifted – these include tax return pre-fill and lodgement.
Although not all cyber incidents involve the compromise of TFNs, the ATO will still apply protective measures to accounts where the individuals’ other personally identifying information have become compromised.
Additional steps agents can take:
Tax professionals play an important role in combatting identity crime by applying robust Know Your Customer (KYC) controls in dealing with clients.
The ATO encourages the community to know and implement the essential 8 cyber mitigation steps and subscribe to www.cyber.gov.
The ATO believes it critical that organisations have a Data Breach Response Plan (DBRP) in place, and can seek information how to formulate one from the OAIC
The ATO has available for tax professionals data breach guidance material.