Nov 2017

The perfect storm. Is your Australian tax compliance client data secure

The perfect storm. Is your Australian tax compliance client data secure?

By: Odyssey Legislation
Tags: cyber risks, Data breach, Data security

Rewinding back to earlier this year, Australia will have a mandatory data breach notification scheme in place within the year after several aborted attempts, following the passage of legislation through the senate.

There has certainly been a raft of overseas data breaches, and some of them like the Equifax breach has put Australians’ sensitive financial information at risk.

What is interesting is that Equifax defends a long delay in notifying of cyberattack, and while the Equifax hack occurred in May, it wasn’t detected until July, and wasn’t confirmed until September, almost half a year after the breach occurred. It might take some time for the hackers to sift through the personal data of 143 million people, but it has been hacked.

And at the same time, Australian credit organisations, retailers and superannuation clearing houses could be tempting, data-rich targets for hackers, cybersecurity experts have warned.

Certainly there are plenty of horror stories in Australia. One large IT business was destroyed a few years ago through key logging malware being installed onto a staff member’s laptop.  With 20-20 hindsight the owners recognised dropping their websites alerted the hackers that they had been found out, which as it turns out was the wrong approach.

Just recently we’ve seen a subcontractor to the DoD see some of their information disappear as attackers exploited a weakness in software that had not been updated for 12 months, but also could have used the username-password combinations “admin admin” and “guest guest” to access the company’s web portal.

And then there is the risk of ransomware viruses hitting computers.

Australian accountants, holders of important key client data, are also at risk. Probably more so. In September it was reported that Deloitte was compromised and the breach was noticed in March. In this case it was reported that the hackers just needed to acquire a single password from an administrator of the firm’s email accounts. As the article mentions, Deloitte appears to have taken great pains to keep its investigation, codenamed “Windham”, under wraps.

Certainly Australian accountants are ‘at risk’ of forgetting cyber risks, and there has been plenty of instances where clients are contacted by the “fake” ATO asking for confidential information, or even to settle a tax debt using untraceable funds. The ATO continually updates information on scams on their website.

And it’s recently been noted that Australian Accountants have been identified as an attractive “attack group” given the type and volume of data they retain for clients, and a 15 per cent spike in attacks last financial year has widened the net to include mid-size firms.

With the new legislation in place, it’s no longer an option to “stick your head in the sand”, nor is it an option to hope that if an attack does happen then you can delay notifying the authorities. Hacks are likely to become public knowledge quickly, and the disruption or destruction of a firm is in the hands of the owners and their commitment to Cyber security.

Share this article